Data Protection Report - Norton Rose Fulbright

The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.

In Germany, the 16 federal states are authorized to supervise businesses in data protection affairs. While typically the authorities align their position before publishing important guidance, there appears to have been no coordination in connection with the Schleswig-Holstein position paper. The Schleswig-Holstein authority is known for its very strict and conservative interpretation of data protection laws, so the position paper is accordingly strict and conservative in its approach.

In summary, the Schleswig-Holstein authority strongly questions if data export to the United States can be based on EU Model Clauses in the future and even questions a transfer based on consent.

  • The authority refers to Art. 5 (b), according to which an importer has to warrant “that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract.” According to the DPA, an importer in the US is no longer in the position to give such a warranty.
  • According to the authority, controllers transferring data to a US processor should “take into consideration terminating the data transfer agreement or suspending the data transfers.” The authority stated: “In consequential application of ECJ’s decision a data transfer based on model clauses is no longer admissible”.

Our take

The position paper is certainly provocative in questioning many companies’ business models that require or simply include trans-Atlantic data transfers. In essence, intra-group transfers would – if at all – only be possible based on binding corporate rules (BCRs).

Given, however, that none of the other 15 states’ data protection authorities published (and most probably will not publish) similar strict and conservative guidance and that the authority’s responsibility is limited to the state of Schleswig-Holstein, its position is likely to remain an outlier. Ultimately, the tone will be set by WP29, which is meeting this week and is expected to issue broader guidance.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.