In the weeks since the October 6, 2015, Court of Justice of the European Union decision (“CJEU Decision”) that invalidated the EU-U.S. Safe Harbor framework, companies have been faced with the quandary of establishing legal alternatives for transferring personal data from Europe to the U.S. We have discussed alternative data transfer mechanisms such as standard contractual clauses (SCCs, also called model clauses) and binding corporate rules (BCRs). Both mechanisms were implicitly endorsed by the European Commission, first in an October 6 press release, and then in an October 16 statement by the European Comission Article 29 Working Party. Not all European countries, however, have taken this position.
On Monday, October 26, a group of German data protection authorities (“German DPAs”) representing the federal government and 16 German states issued a 14-point position paper (available in German here) following the CJEU Decision. The most significant findings include:
- Validity of BCRs and SCCs called into question. Taking a contrary position to the European Commission, the German DPAs have cast doubt on the validity of BCRs and SCCs in light of the CJEU Decision. This follows the findings of a position paper published by the ULD, the data protection authority in the German state of Schleswig-Holstein. The ULD position paper concluded that transfers of personal data between German data exporters and U.S. data importers on the basis of SCCs are no longer permitted because, according to the CJEU Decision, U.S. contractors cannot comply with their contractual obligations given current U.S. law. The rest of the German DPAs appear to have embraced this position.
- No new authorizations of BCRs or data export contracts for personal data transfers to the U.S. At this time, the German DPAs will not issue any new authorizations for transfers of personal data from Germany into the U.S. that rely on BCRs or “data export contracts.” What is unclear is whether existing BCRs and data export agreements that have already been approved will similarly be invalidated. It is also unclear for how long the German DPAs plan to hold this position.
- Data transfers from Germany to U.S. based solely on Safe Harbor are invalid. Following the CJEU Decision, the German DPAs have declared that any transfer of German personal data to the U.S. relying solely on Safe Harbor approval is now invalid.
- Individual consent to transfer of personal data may be used sparingly. The German DPAs carved out a small exception for transfers of personal data “under strict conditions” when an individual provides consent. Consent may not, however, be used on a repeated basis, or used routinely for mass transfers of personal data. Additionally, consent may only be used in “exceptional cases” for the transfer of German employee data to the U.S. The language used here is vague, but the sentiment is clear: the method of individual consent should be used sparingly, if at all, in transferring personal data from Germany to the U.S., and should by no means be used as a standard data transfer practice.
- Intent to exercise auditing power over SCCs. The German DPAs intend to use the power granted to them in the European Commission decisions of December 27, 2004 (2004/915/EC), and February 5, 2010 (2010/87/EU), to audit data transfers of personal information based on SCCs. Article 4 of the 2010/87/EU decision grants the German DPAs the power to “prohibit or suspend data flows to third countries” in cases where the data importer is subject to laws that impose requirements that are “likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses.” Companies relying on SCCs should be prepared for possible audits by the German DPAs.
- Referral to additional German DPA resolutions. The German DPAs recommended that companies that seek to export personal data from Germany to the U.S. should consult two existing German DPA resolutions. The first, dated March 23, 2014, is titled “Guarantee of Human Rights in the Electronic Communications Sector” (Google translation in English here), and the second, dated October 9, 2014, is titled “Cloud Computing” (available in German here).
While the U.S. and EU have recently agreed in principle on a data-sharing agreement to replace Safe Harbor, it will likely be some time before a new agreement is finalized and implemented. In the meantime, companies wishing to transfer personal data from Germany to the U.S. may have little choice but to rely on existing BCRs, SCCs, or express individual consent.