February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

EU Data Protection Authorities Enforcement Guidance Post-Schrems

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:

  • Austria.  The Austrian Data Protection Authority (the “Austrian DPA”) has published FAQs on its website (see here), confirming that data transfers to the U.S. should not take place exclusively on the basis of the Safe Harbor.  Instead, companies could either store and process personal data locally on a server in the European Economic Area or in third countries which have been officially recognized as providing an adequate level of protection.  Alternatively, they can base the data transfer on one of the statutory derogations or, in principle, on SCCs or BCRs; however, in the latter two cases, the Austrian DPA reserves the right to assess the adequacy of the level of protection on a case-by-case basis in the framework of the authorization procedure.  Whilst the Austrian DPA has not stated that it would take enforcement action, it might be obliged to do so if it becomes aware of a violation of the Austrian data protection law.

  • Estonia.  Senior officials within the Estonian Data Protection Inspectorate are reported to have put in place an informal enforcement moratorium, and will not “take enforcement actions against enterprises who were using invalidated Safe Harbor — until the moment when the new EU-U.S. Privacy Shield will be available for them.”

  • France.  While the French data protection authority (the “CNIL”) is largely aligned with the opinions expressed by the Article 29 Working Party, it has started to implement enforcement measures.  We understand that the CNIL started sending notices to data controllers as early as November 2015.  The notices remind data controllers that they can no longer rely on the now-defunct Safe Harbor and requested controllers to move to alternative transfer mechanisms.  The CNIL had previously stated that if no alternative basis for transfer is declared to the CNIL by the end of January 2016, the CNIL will assume that transfers of personal data to the U.S. have stopped and that the CNIL reserves the right to take appropriate measures if the conditions for transfer of personal data do not comply with the French Data Protection Law.

  • Germany.  The German data protection authorities responsible for data protection at federal and state level (the “German DPAs”) published a position paper (see here and our blog post here) on the EU-U.S. Safe Harbor in the wake of its invalidation.  Among other things, the German DPAs announced that the validity of SCCs and BCRs is called into question and that they would not issue new authorizations for transfers to the U.S. based on BCRs or data export agreements (essentially, substantively amended SCCs or ad-hoc agreements).  The German DPAs also stated that if they become aware of transfers of personal data exclusively based on the Safe Harbor, they will prohibit such transfers.

This position has also been confirmed in statements issued by individual German DPAs last year and after the public announcement of the Privacy Shield at the beginning of February this year (for instance, for Hessen see here, for Bavaria see here, for North-Rhine Westphalia see here, and for Rhineland-Palatinate see here).  Already in November last year, the Hamburg DPA announced a three-phase approach (see here): as a first step, the Hamburg DPA identified companies that are most likely to transfer personal data to the U.S. and informed them of the implications of the Schrems ruling; between December 2015 and January 2016 the Hamburg DPA issued information requests to those companies asking them whether they do actually transfer personal data to the U.S. and, if so, on which legal basis; and, as a third step, the Hamburg DPA threatened to take enforcement actions starting in February 2016 to prevent illegal data transfers taking place on the basis of the now-defunct Safe Harbor framework.  The most critical position among the German DPAs has been taken by the Schleswig-Holstein DPA (the “ULD”).  In a position paper dated October 14, 2015 (see here), the ULD threatened that it may prohibit or suspend data transfers to the U.S. based on the SCCs by administrative order and impose administrative fines for violations of the Federal Data Protection Act.  The ULD announced that it will examine whether orders against private bodies must be issued and on which basis data transfers to the U.S. must be suspended or banned. Furthermore, it will examine whether private bodies have committed an offence due to the transmission of data to a third country without an adequate level of data protection.

We are not aware of any of the German DPAs having issued any administrative orders prohibiting or suspending data transfers to the U.S. or imposing sanctions therefore.

  • The Netherlands.  Senior officials within the Dutch Data Protection Authority are reported to be taking a pragmatic, “wait-and-see” approach, noting that it “will not take enforcement actions until we have ended our analysis.”

  • Poland.  The Polish data protection authority (Inspector General for Personal Data Protection – “GIODO”) released a statement, prior to the Privacy Shield announcement, confirming that under Polish data protection law, SCCs and BCRs can still be used, but that it will “react to any complaints received… even those submitted before 1 February 2016” (the initial end-date of the Article 29 Working Party enforcement moratorium).

  • Sweden.  Senior officials within the Swedish Data Protection Authority are reported to have put in place an informal enforcement moratorium, the duration of which is uncertain as “for the moment [the Swedish Data Protection Authority is] not taking any such action” (emphasis added).

  • UK.  The UK Information Commissioner’s Officer (“ICO”) has said that it is “clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA”, and that it is not “rushing to use our enforcement powers.  There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent” (see ICO blog post and interim guidance).

Inside Privacy will continue to monitor the respective enforcement positions of the Member State data protection authorities as well as the opinion of the Article 29 Working Party, which we can hopefully expect in the coming weeks.

Joseph Jones also contributed to the writing of this article.

© 2023 Covington & Burling LLPNational Law Review, Volume VI, Number 52

About this Author

Mark Young, Data privacy and cybersecurity lawyer, Covington

Mark Young advises clients on data protection, cybersecurity and intellectual property matters. He has particular expertise in regulatory compliance and legislative advocacy, cyber and data security incident preparation and management, and online IP enforcement.

According to the latest edition of Chambers UK (2018), he has "a really sharp analytical mind and good understanding of key regulations." In previous editions, he has been recognized as "a trusted adviser - practical, results-oriented and an expert in the field," and "enjoying a growing reputation...

Kristof Van Quathern, Covington, data privacy attorney
Special Counsel

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Mr. Van Quathem has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.