By Dr. Thomas Jansen and Dr. Jan Geert Meents
Yesterday, October 26, 2015, the German Federal Data Protection Officer and the Data Protection Authorities (DPAs) of the German Federal States (together “Datenschutzkonferenz” – DSK) issued a position paper calling into question all methods of data transfer to the United States.
Specifically, the European Court of Justice invalidated the U.S.-EU Safe Harbor Program on October 6, 2015 (20 ECLR 1420, 10/14/15), in which over 4,400 U.S. organizations had participated. Regarding the remaining possible methods of data transfer, the DSK yesterday stated that “[i]n light of the judgment of the ECJ, the admissibility of data transfers to the United States on the basis of other instruments used for this purpose such as standard contractual clauses or BCRs are questionable.”
Further, the DPAs said they wouldn’t approve any new transfers on the basis of binding corporate rules or data export agreements and confirmed that they would be “exercising their powers to audit” standard contractual clauses. The DSK said it is necessary for them to make decisions regarding standard contractual clauses that are consistent with the specifications set out in the ECJ ruling.
The only other basis for transfer under German data protection law is the consent on the data subject. Regarding consent, the DPAs stated that data subject consent “might be a sound basis” for transfers to the U.S. under “strict conditions” but not “massively, or routinely.” However, experience has shown consent to be an impractical basis for data transfer for most organizations.