German DPAs issue a Position Paper on Safe Harbor

By Dr. Jan Geert Meents and Dr. Thomas Jansen

Today the German Federal Data Protection Officer and the Data Protection Authorities (DPAs) of the German Federal States (together “Datenschutzkonferenz” – DSK) issued a joint statement on the Safe Harbor decision:

  1. According to the Safe Harbor decision of 6 October 2015, a data transfer based on the Safe Harbor decision by the European Commission of 26 July 2000 (2000/520/EG) is not permitted.
  2.  In the light of the ECJ decision, the other instruments to provide for a permissible data transfer to the U.S., such as EU Model Clauses or binding corporate rules (BCR), are questioned as well.
  3. The ECJ states that irrespective of the decisions of the European Commission DPAs of the EU member states are not prevented from independently assessing the adequacy of the data protection level in third countries.
  4. The ECJ calls on the Commission and the national DPAs to review the data protection level in the U.S. and other third countries (in terms of legal framework and legal practice). The ECJ, in this respect, sets detailed standards of review with strict corresponding requirements.
  5. To the extent that data protection authorities learns of data transfers to the U.S. solely based on Safe Harbor, they will prohibit those.
  6. To exercise their auditing rights according to Article 4 of the respective Commission decisions on EU Model Clauses of 27 December 2004 (2004/915/EG) and of 5 February 2010 (2010/87/EU), the DPAs will base their reviews on the principles determined by the ECJ, especially those referred to in recitals 94 and 95 of the ECJ decision.
  7. For the time being, the DPAs will not issue any new permissions for data transfers to the U.S. on the basis of BCRs or data transfer agreements.
  8. Therefore, companies are called on to set up their data transfer procedures in compliance with data protection requirements. Companies that intend to transfer data to the U.S. or other third countries shall in this regard also be guided by the DSK decision of 27 March 2014 (“Gewährleistung der Menschenrechte bei der elektronischen Kommunikation” – Ensuring human rights in electronic communication) and by the guidance on “Cloud Computing” of 9 October 2014.
  9. Consent to a transfer of personal data may under strict requirements be seen as a valid legal basis for a transfer of data. In general, such data transfer is not to take place repeatedly, excessively or routinely.
  10. As far as the transfer of employee data is concerned or in case of third party data being affected at the same time, consent may only exceptionally serve as a legal basis for the data transfer to the U.S..
  11. The DPAs call on the legislators to grant them the right in accordance with the ECJ decision to file claims.
  12. During its negotiations with the US, the Commission is requested to push for granting of appropriate guarantees for the protection of privacy. This especially applies to the right to legal protection before courts, material data protection and the principle of proportionality. Moreover, the decisions on model clauses need to be aligned with the requirements set out in the ECJ decision. In this regard, the DSK welcomes the deadline of 31 January 2016 as set by the Article 29 Working Party.
  13. The DSK requests that the German Federal Government in direct negotiations with the U.S. Government push for compliance with an adequate protection level as regards privacy and data protection .
  14. The DSK requests that the Commission, the Council of the European Union and the Parliament in the ongoing trilogue negotiations assert the strict criteria set out by the ECJ in Chapter V of the European Data Protection Regulation.