GERMANY: Data Protection Authorities Call for Right of Action against Adequacy Decisions of the EU Commission

By Thomas Jansen ( and Reka Hatala (

On 20 April 2016 the Conference of the Data Protection Authorities of the German Federal Government and Federal States (“Conference”) published a resolution in which they call for an independent right of action for each single Data Protection Authority (“DPA”) against adequacy decisions of the EU Commission. With this resolution the Conference supports the request of the State Hamburg, which was filed with the legislator on 4 April 2016 and called for passing an express legislative provision granting the right to challenge adequacy decisions of the EU Commission for the DPAs in front of national courts.

As for the background, in the Safe Harbor judgment of 6 October 2015, the Court of Justice of the EU (“CJEU”) laid down the basis for the above mentioned request. The CJEU held that national DPAs must be able to initiate legal proceedings if a person lodged a claim with the DPA concerning the protection of his rights with regard to the transfer of his personal data to a third country based on an adequacy decision of the EU Commission and the DPA considers that the objections of this person are well founded. The CJEU expressed that it is incumbent upon the national legislature to provide for legal instruments enabling the concerned national DPA to put forward the objections which it considers well founded before the national courts in order for them to request a preliminary ruling for the purpose of examination of the validity of the adequacy decision of the EU Commission.

On 13 April 2016 the European data protection authorities (“Article 29 Working Party”) published their critical opinion on the draft EU-U.S. Privacy Shield adequacy decision, which seeks to replace the invalidated U.S. Safe Harbour. As a reaction, also the German DPAs publicly voiced their concern. The Conference shares the comprehensive analysis of the Article 29 Working Party and holds that in its current form the EU-U.S. Privacy Shield is not sufficient to ensure an adequate level of data protection required for the transfer of personal data to the U.S. The Conference supports the call on the EU Commission to make substantial improvements before adopting the adequacy decision contained therein.

This new resolution of the Conference shows that German DPAs already prepare for possible legal challenges against a future adequacy decision by the EU Commission. It remains to be seen if the proposal of the State Hamburg will be adopted in the Federal Council.