September 23, 2021

Volume XI, Number 266

Advertisement

September 22, 2021

Subscribe to Latest Legal News and Analysis

September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

German DPAs Announce Policy Severely Limiting Mechanisms for Lawful Germany-to-U.S. Data Transfers

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.

In the wake of the CJEU’s decision, the German data protection authority (DPA) for the state of Schleswig-Holstein had called into question the ability of companies to rely on consent and model contractual clauses to transfer personal data to the United States and, according to unofficial sources, at least two other German DPAs (in Berlin and Breme) were in agreement.  Today, the Conference of Data Protection Commissioners (which includes the German federal as well as each of the German state DPAs) has issued a Position Paper indicating that this no longer should be considered an outlier position, at least in Germany.  Key takeaways from the Position Paper are as follows:

  • Audits:  Under the EU Commission’s adequacy decisions regarding the standard contractual clauses, each member state has the right to “prohibit or suspend data flows . . . where . . . it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law . . . where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses.”  The German DPAs have indicated their intent to exercise this audit right, particularly in light of the portions of the CJEU’s decision which held that legislation permitting public authorities to have generalized access to the content of electronic communications as well as the absence of legislation providing an avenue for an individual to pursue legal remedies related to his/her personal data are in violation of the “essence of the fundamental right[s]” to respect for private life and to effective judicial protection.

  • No New Data Transfer Approvals Based on BCRs or Data Export Contracts:  The German DPAs will grant no new approvals for data transfers to the U.S. on the basis of BCRs or data export contracts.

  • Limited Validity of Consent:  Consent may be a valid basis for transfers but not for massive or routine transfers and, with respect to exporting data regarding employees, only in exceptional cases.

The position of the German DPAs is at odds with that of the Article 29 Working Party, which stated in a press release that Standard Contractual Clauses and Binding Corporate Rules still can be used, at least for now.

© 2021 Proskauer Rose LLP. National Law Review, Volume V, Number 299
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

As innovations in technology make it easier to track, collect and process personal information about individuals, companies of all kinds are challenged to manage the way that they use data to both comply with U.S. and non-U.S. laws and to protect such data from unauthorized access. In addition to maintaining compliance in a continuously evolving legal landscape, companies must also contend with industry standards promulgated by a wide array of diverse and sometimes overlapping industry groups. Yet, on a daily basis we hear reports of companies having suffered data...

212.969.3265
Advertisement
Advertisement
Advertisement