Privacy & Information Security Law Blog

On October 26, 2015, the German federal and state data protection authorities (the “German DPAs”) published a joint position paper on Safe Harbor and potential alternatives for transfers of data to the U.S. (the “Position Paper”).

The Position Paper follows the Court of Justice of the European Union’s (the “CJEU’s”) ruling on Safe Harbor and contains 14 statements regarding the ruling, including the following key highlights:

• In light of the Safe Harbor Decision of the CJEU, the German DPAs call into question the lawfulness of data transfers to the U.S. on the basis of other transfer mechanisms, such as standard contractual clauses or Binding Corporate Rules (“BCRs”).
• To the extent that they become aware, the Position Paper indicates that the German DPAs will prohibit data transfers to the U.S. that are solely based on Safe Harbor.
• When using their powers under Article 4 of the respective Commission Decisions on the standard contractual clauses of December 2004 (2004/915/EC) and February 2010 (2010/87/EC) to assess data transfers, the Position Paper indicates the German DPAs will rely on the principles formulated by the CJEU. In particular, the German DPAs will focus on numbers 94 and 95 of the judgment, which address recipient countries that compromise the fundamental right of respect for private life and lack respect for the essence of the fundamental right to effective judicial protection.
• At this time, the Position Paper discloses that the German DPAs will not issue new approvals for data transfers to the U.S. on the basis of BCRs or data export agreements.
• The Position Paper requests companies to immediately design their data transfer procedures in a way that considers data protection. Companies that would like to export data to the U.S. or other third countries should also use as guidance the German DPAs’ March 2014 resolutions on “Human Rights and Electronic Communication” and the October 2014 guidelines on “Cloud Computing.”
• The German DPAs indicate that consent for the transfer of personal data may be a sound legal basis under narrow conditions. In principle, however, the data transfer must not be massive or occur routinely or repeatedly, according to the Position Paper.
• With respect to the export of employee data and certain third party data, the German DPAs indicate that consent may only be a lawful legal basis in exceptional cases for a data transfer to the U.S.
• The German DPAs request the legislators to grant them a right to file an action in accordance with the CJEU judgment.

In the Position Paper, the German DPAs also call upon the European Commission to push for the creation of sufficiently far-reaching guarantees for the protection of privacy during its negotiations with the U.S., including such protections as the right to judicial remedy, data protection rights and the principle of proportionality. Further, the German DPAs indicate it is essential to promptly adjust the Commission Decisions on EU model clauses to the requirements of the CJEU decision. To this extent, the DPAs welcome the deadline of January 31, 2016 set by the Article 29 Working Party.