German DPAs Announce Policy Severely Limiting Mechanisms for Lawful Germany-to-U.S. Data Transfers
Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.
News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.
In the wake of the CJEU’s decision, the German data protection authority (DPA) for the state of Schleswig-Holstein had called into question the ability of companies to rely on consent and model contractual clauses to transfer personal data to the United States and, according to unofficial sources, at least two other German DPAs (in Berlin and Breme) were in agreement. Today, the Conference of Data Protection Commissioners (which includes the German federal as well as each of the German state DPAs) has issued a Position Paper indicating that this no longer should be considered an outlier position, at least in Germany. Key takeaways from the Position Paper are as follows:
Audits: Under the EU Commission’s adequacy decisions regarding the standard contractual clauses, each member state has the right to “prohibit or suspend data flows . . . where . . . it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law . . . where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses.” The German DPAs have indicated their intent to exercise this audit right, particularly in light of the portions of the CJEU’s decision which held that legislation permitting public authorities to have generalized access to the content of electronic communications as well as the absence of legislation providing an avenue for an individual to pursue legal remedies related to his/her personal data are in violation of the “essence of the fundamental right[s]” to respect for private life and to effective judicial protection.
No New Data Transfer Approvals Based on BCRs or Data Export Contracts: The German DPAs will grant no new approvals for data transfers to the U.S. on the basis of BCRs or data export contracts.
Limited Validity of Consent: Consent may be a valid basis for transfers but not for massive or routine transfers and, with respect to exporting data regarding employees, only in exceptional cases.
The position of the German DPAs is at odds with that of the Article 29 Working Party, which stated in a press release that Standard Contractual Clauses and Binding Corporate Rules still can be used, at least for now.