By Dr. Thomas Jansen and Dr. Jan Geert Meents
Yesterday, October 26, 2015, the German Federal Data Protection Officer and the Data Protection Authorities (DPAs) of the German Federal States (together “Datenschutzkonferenz” – DSK) issued a position paper calling into question all methods of data transfer to the United States.
Specifically, the European Court of Justice invalidated the U.S.-EU Safe Harbor Program on October 6, 2015 (20 ECLR 1420, 10/14/15), in which over 4,400 U.S. organizations had participated. Regarding the remaining possible methods of data transfer, the DSK yesterday stated that “[i]n light of the judgment of the ECJ, the admissibility of data transfers to the United States on the basis of other instruments used for this purpose such as standard contractual clauses or BCRs are questionable.”
Further, the DPAs said they wouldn’t approve any new transfers on the basis of binding corporate rules or data export agreements and confirmed that they would be “exercising their powers to audit” standard contractual clauses. The DSK said it is necessary for them to make decisions regarding standard contractual clauses that are consistent with the specifications set out in the ECJ ruling.
The only other basis for transfer under German data protection law is the consent on the data subject. Regarding consent, the DPAs stated that data subject consent “might be a sound basis” for transfers to the U.S. under “strict conditions” but not “massively, or routinely.” However, experience has shown consent to be an impractical basis for data transfer for most organizations.
The DSK called on all organizations wanting to export data to the U.S. or other third countries to immediately ensure conformity of their data transfer methods, referring them to the DSK’s March 27, 2014 guidance guaranteeing human rights in electronic communication and Oct. 9, 2014 guidance on cloud computing.
The DPAs also requested that German legislators grant them the specific “right of action” to enforce privacy requirements and urged the European Commission to negotiate with the U.S. to create “far-reaching” safeguards to protect privacy including the right to legal protections, substantive data protection rights and the principle of proportionality.
The group said it welcomed the Jan. 31, 2016 deadline set by the Article 29 Working Party for EU and U.S. officials to find a replacement for the invalidated Safe Harbor scheme.
Which Way Forward?
Although the DSK position paper questions the validity of the legal basis of the EU Model Clauses, ultimately, the DSK and German national courts cannot invalidate decisions of the European Commission. No cases regarding the validity of model clauses currently are pending before the ECJ.
Thus, unless and until invalidated by the ECJ, model clauses generally remain a valid method of data transfer to the U.S. and third countries. However, national DPAs may still prohibit transfers based on EU Model Clauses and impose fines. In such case, an affected company should appeal the DPA decision and fine to a German court. The German court then likely would refer the issue to the ECJ.
The consent of the data subject also remains a valid basis for data transfers, provided it is transparent, freely given, and conforms to the conditions set forth by the DPAs.