Another development in the slow unraveling of the legal regime governingĀ EU-U.S. data flows: The Irish data protection agency has warned that one of the mechanisms currently being used by thousands of companies might not be legal.
Companies such as Facebook were forced toĀ switch toĀ alternativeĀ mechanisms toĀ govern data transfers afterĀ the prior data transfer deal, Safe Harbor, was struck down last year.
The DPA said today it isĀ referring so-called “model contract clauses” to the Irish High Court for referral on to the European Court of Justice (CJEU) — the latter being the same court that invalidated Safe Harbor on the grounds that it breached fundamental European data protection rights.
TheĀ original 2013 legal challenge that resulted in Safe Harbor being struck downĀ was brought by European privacy campaigner Max Schrems, who had argued that the U.S. government’s mass surveillanceĀ programs — which NSA whistleblower Edward Snowden revealed to be miningĀ data fromĀ consumer web services such asĀ Facebook — invalidated the long-standing EU-U.S. data flow deal by contravening European data protectionĀ laws. The CJEU agreed.
AfterĀ Safe Harbor’s strike down, model contract clauses wereĀ one of the mechanisms the European Commission pointed to as an extant alternative available to companies to switch to. The EC has also been negotiating a new EU-U.S. data transfer deal to replace Safe Harbor — although it is not clear whether that agreement, called Privacy Shield, willĀ pass muster with the CJEU either.
Work on the Privacy Shield is ongoing, with only a draft deal on the tableĀ so far, leaving the alternative data flow mechanisms to pick up the slack.Ā Meanwhile, Europe’s article WP29 group, the body made up of the heads of EU Member State DPAs, has signaled it is not satisfied with Privacy ShieldĀ in its current form. Schrems has also slammed itĀ as flawed as Safe Harbor. So further murky waters lie ahead there.
The WP29 is also assessingĀ the legality of the alternative data transfer mechanisms, including model clauses, but has previouslyĀ said companies canĀ use them in the interim, while work to agree the Privacy Shield continues. However givenĀ individualĀ DPA action, such as the referralĀ by the Irish authority today, thoseĀ alternatives areĀ looking to beĀ on increasingly shaky ground.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
TechCrunch understands a keyĀ concern over model clauses isĀ a structural issue, given the lack of redress facilities for European citizens wanting to pursue claims in the U.S. against companies they believe have breachedĀ their EuropeanĀ rights. That issue has also been one of the key negotiation areas for Privacy Shield.
The CJEU ruling also instructedĀ National DPAs to seek a referral to the central European court in cases where they believe there are specific causes for concern, such as the structural issue with model clauses outlined above. Which likely explains the Irish DPA’s move in this case.
The Irish DPAĀ hasĀ been investigating model clauses following another complaint filed by Schrems, who is clearly not about to pack up his law books and give up campaigning forĀ EuropeanĀ data rights.
In a statement provided to TechCrunch about the referral, the Irish DPA said:
We continue to thoroughly and diligently investigate Mr Schremsā complaintĀ to ensure the adequate protection of personal data. We yesterday informedĀ Mr Schrems and Facebook of our intention to seek declaratory relief in theĀ Irish High Court and a referral to the CJEU to determine the legal statusĀ of data transfers under Standard Contractual Clauses. We will update allĀ relevant parties as our investigation continues.
In a statement responding to the news of the Irish DPA’s action, Schrems added:
This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I donāt see now there could be a solution.
In a statement provided to TechCrunch, a Facebook spokesperson had this to say:
Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contract Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.
Safe to say, uncertainty looks to beĀ the new normal for businesses needing to transfer European citizens’ data to the U.S.
And with EU Member State DPAs now instructed to follow a set path of referring similar complaints to theĀ CJEU, any quick fixes lookĀ set to rapidly run out of road. In short:Ā buckle up for a bumpy ride.
