Conference of German Data Protection Officers' Position Paper Offers Guidance on Safe Harbor Decision
No New Approvals for Data Transfers to the U.S. Based on BCRs or Ad-Hoc Clauses
On October 26, 2015, the Conference of the Data Protection Commissioners of the German Federation and the German States (the "Conference") issued a position paper (source document in German), which followed the Article 29 Working Party's October 16, 2015 statement on the practical consequences of the European Court of Justice's ("ECJ") Safe Harbor invalidation decision (the "Safe Harbor Decision"). This position paper contains relevant guidance on how German Data Protection Authorities ("DPAs") view data transfers to the U.S. after the ECJ declared the European Commission's 2000/520/EC Safe Harbor decision (the "Safe Harbor") to be invalid.
SCCs and BCRs Called into Question
According to the Conference's position paper, if DPAs gain knowledge about data transfers to the U.S. that are solely based on the Safe Harbor, they will prohibit such data transfers. The Hamburg DPA even announced that it will audit companies in this regard, in particular subsidiaries of Safe Harbor-listed U.S. companies having their legal seat in Hamburg and transferring data to their U.S.-based parent companies.
In the light of the Safe Harbor Decision, the Conference further questioned the admissibility of data transfers to the U.S. on the basis of Standard Contractual Clauses ("SCCs") or Binding Corporate Rules ("BCRs"). For instance, the Conference pointed to the DPAs' authorization to suspend data transfers supported by SCCs in certain individual cases as provided in Article 4 of the SCCs. The Conference also stated that in executing this authorization, the DPAs will take into account the principles formulated in the Safe Harbor Decision, in particular that laws allowing for access on a generalized basis to the content of electronic communications and denying effective judicial protection of data subjects will not be regarded as adequate. This seems to indicate that the Conference does not regard the SCCs per se inappropriate to govern data transfers to the U.S.; rather, it underlines the right of the DPAs to suspend data transfers in certain individual cases. In any case, the DPAs are currently not issuing any new approvals for data transfers to the U.S. on the basis of BCRs or data export agreements (also known as ad-hoc clauses).
The Conference therefore requested companies to adjust their data transfer proceedings without undue delay. In this regard, companies transferring data to the U.S. or other countries should take into account the Conference's March 27, 2014 decision, "Ensuring Human Rights in Electronic Communication" (Gewährleistung der Menschenrechte bei der elektronischen Kommunikation), and its October 9, 2014 decision, "Orientation Guideline Cloud Computing" (Orientierungshilfe Cloud Computing).
Consent to U.S. Data Transfers Only Under Restrictive Conditions
The Conference confirmed that consent to the transfer of personal data may be regarded as a valid legal basis under certain conditions. However, according to the Conference, the data transfers relying on consent should not occur on a repeated or routine basis or in massive volume. In the case of export of employee data or in the event that data of third parties are affected simultaneously, consent can be a valid legal basis for data transfers to the U.S. in exceptional cases only. However, the Conference has not defined which transfers may qualify as "exceptional" cases.
Direct Right to Legal Action for Authorities
The Conference also requested that legislators in Germany adopt laws granting DPAs a right of legal action before the courts. In the Safe Harbor Decision, the ECJ confirmed that it alone has jurisdiction to declare an EU act invalid. On the other hand, even where the European Commission has adopted a decision finding that a country outside the EU affords an adequate level of protection of personal data, the ECJ encouraged national DPAs to bring legal action before national courts where a claim is lodged. This would enable national courts to request a preliminary ruling from the ECJ for the purpose of examining the validity of the European Commission decision. In Germany, however, DPAs do not have a direct right to legal action before German courts. Currently, court adjudication is possible only in cases where DPAs have issued suspension orders and the recipients of such orders decide to defend their rights in court.
Far-Reaching Privacy Rights to be Ensured in Negotiations with the U.S.
The Conference further requested the European Commission to ensure sufficiently far-reaching guarantees for the protection of privacy in its negotiations with the U.S. The Conference emphasized an agreement with respect to the right to effective judicial protection, material data protection rights, and the principle of proportionality. The Conference also called for the Commission decisions on the SCCs to be promptly adjusted to the requirements stated in the Safe Harbor Decision.
Finally, the Conference called on the European Commission, the European Council, and the European Parliament to comprehensively implement the strict criteria of the Safe Harbor Decision within Chapter V of the upcoming data protection regulation in which the rules for international data transfers are stipulated.
Summary of the Position
The position paper of the Conference goes in some points further than the statement of the Art. 29 Working Party (for example, with respect to currently granting no new approvals for data transfers to the U.S. based on BCRs and ad-hoc clauses, or with regard to limiting the validity of consent to exceptional cases). It does not seem to follow, however, the opinion expressed in the statement of the State Data Protection Authority (Schleswig-Holstein) that data transfers on the basis of Standard Contractual Clauses to the U.S. are per se prohibited. The Conference thus still leaves companies the possibility to base their data transfers to the U.S. on SCCs, at least for the interim period until end of January 2016, during which time the Article 29 Working Party will further assess SCCs and BCRs in light of the Safe Harbor Decision.