Just When You Thought EU “Model Clauses” Are Safe to Transfer EU Data, Think Again

After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor framework for EU-US data transfer, companies began to rely on the EU’s “Model Clauses” as a valid means of transferring data from the European Union. In fact, almost all multi-national corporations adopted “Model Clauses” as the interim best practice to transfer EU data from the European Union.

However, the EU “Model Clauses” do not directly address US national security surveillance laws, which remain unchanged and continue to apply to large multi-national corporations. This has given rise to this latest CJEU proceeding initiated by the Irish Data Protection Commissioner (DPC). The DPC recently announced that it will ask the CJEU to determine whether Facebook can transfer EU data from the European Union via the use of EU’s model clauses. A copy of the press release can be found here.

In addition to the ongoing EU-US Privacy Shield negotiations that will likely continue for at least the next year, we must now watch for the CJEU’s decision on whether EU “Model Clauses” adequately protect EU data from big government surveillance practices. Given the current state of EU data transfers, best practices must continue to be examined and developed by the data privacy industry.