The Demise of Model Clauses

By: Suzette Corley, Global Privacy Paralegal

Could Model Clauses be the next framework to be knocked down!

Legal practitioners have debated the issue of restrictive corporate laws for long. At the center of this dispute is the question of international data transfer flows between the EU and other countries such as the US, with an emphasis on re-examining the model clauses. The Data Protection Commissioner in Ireland (ODPC) announced it would go to the Irish Courts to make an application regarding the Standard Contractual Clauses or Model Clauses and their legality. There is also a strong discontent on the privacy shield and companies are scared to move forward with these data transfer mechanisms. The recommendation is that it needs to be revised to protect it from further scrutiny in the future.

Rest in Peace the Model Clauses – Not So Quick!

Lately, the Model Clauses that govern data transfers have come under heavy attack from privacy advocates.  Safe Harbor as we know is no longer a mechanism to move data between the U.S. and the EU due to mass surveillance carried out by authorities in the US intelligence. Similarly, the model clauses face the challenge of the possibility (real or perceived) of mass surveillance by the authorities in the US intelligence. Again, the US has been accused of not protecting the privacy rights of people living in the EU. Given that scenario, there is all the likelihood that the model clauses are going to face the same fate as the Safe Harbor. Knocking down model clauses would be suicidal for many companies who rely on model clauses.

The bone of contention is that the current legal regime that is being used by businesses is not legal after all. For example, Facebook, having been inconvenienced by such laws was too quick to seek alternatives and embraced different mechanisms. Similarly, other companies have voiced the structural issues of the model clauses.  This does not go down well with privacy advocates.

Another cardinal concern on the model clauses is that the EU residents face a difficult task when pursuing claims in the US on companies that the citizens believe have breached their European rights. From the beginning, Data security experts have admitted that the model clauses are flawed. However, they were still the quickest and probably the easiest body of laws that would fill the gap after the imminent demise of the Safe Harbor.

Thousands of companies do transfer their data to offer their products and services to clients beyond the borders. Hopefully, the court proceedings in the Irish courts are going to re-define the present laws and shed more light on the search for a permanent solution regarding data privacy laws. However, privacy advocates are quick to warn companies and their clients that looking for a quick fix is inconsequential. Rather, all stakeholders should provide extensive input to avoid the fluidity and the uncertainties of the privacy laws that are governing the industry at the moment.

Media houses have focused on how the current EU General Data Protection Regulation (GDPR) is dangerous for companies especially the tech companies such as Google. At the same time, there is a significant concern that many apps are not compliant to the EU GDPR. The outcome of the court cases is going to bring more sanity to the data industry.

Another concern is that the current GDPR is not modernized, and also not personalized. The impact is that some of the operations regarding data protection are obsolete. Again, the increased use of cloud computing has made it harder to solve stubborn questions that touch on data protection.

Bottom Line

There are changing dynamics shaping the data privacy laws in the EU. If the model clauses are invalidated, then the companies that have a heavy reliance on them are going to use any or both of this option: the transformation of their operations under the binding corporate rules, alternatively, they can obtain consent from the subjects. Such changes are going to drastically disrupt data flow more than the invalidation of the Safe Harbor did. The only countries that may not feel the substantial impacts of the current developments are the countries that are perceived to have an adequate data privacy regime. However, currently, companies will still have to rely on the model clauses until the courts in Luxembourg and Ireland determine the case.

Article keywords: Privacy Shield, Data Privacy, GDRP, Model Clauses


Ebooks Corporation. (2003). Privacy online: OECD guidance on policy and practice. Paris: OECD.


Disclaimer: This article provides general information and materials related to contract management. This article does not provide legal advice. Agile Contract Management is not a law firm nor does it provide legal advice. You should contact an attorney to obtain advice with respect to any particular legal issues or questions.

Back to Main Blog Page