Following on from the EU Article 29 Working Party Statement of 16 October 2015, the Conference of the German Data Protection Authorities – (“DPAs”) has today issued guidance (referred to as a Position Paper) on the consequences of the CJEU decision in the Schrems case (Case C-362/14).
The key points are:
- Transfers solely on the basis of Safe Harbor will be prohibited. Not surprisingly, the DPAs state that data transfers to the US based on the EU Commission’s Safe Harbor Decision are now illegal. Consequently, the DPAs will prohibit any transfers to the US based solely on the Safe Harbor Decision.
- No further approvals for BCRs and ad hoc data export agreements to the US. More surprisingly, the DPAs state that “for now” they will not issue any new approvals for Binding Corporate Rules (“BCRs”) and “data export agreements.” This puts in a difficult position businesses that were considering implementing BCRs as a replacement for Safe Harbor and intended to rely on BCRs for transfers of data from Germany to the US.
It is important to note that unlike in many EU Member States, in Germany transfers based on EU Model Clauses do not require notice to DPAs or their prior approval. Thus, transfers under “data export agreements” that are EU Model Clauses (rather than ad hoc agreements) do not require approval from the DPAs (but see more below). Accordingly, the DPAs decision not to approve “data transfer agreements” would not affect agreements that are in effect EU Model Clauses.
The Position Paper does not address whether existing BCRs and “data export agreements” that the DPAs have previously approved remain valid. Our view is that businesses that have already obtained such approvals should assume they remain valid, but should closely monitor any further guidance issued from their local German DPA(s), which might suggest otherwise.
- Transfers on the basis of EU Model Clauses could be held to be invalid by DPAs. The DPAs also cast doubt as to whether transfers made under EU Model Clauses will remain valid. The DPAs noted that they have the authority to prohibit data transfers based on EU Model Clauses under Article 4 of the EU Commission decisions (2004/915/EC and 2010/87/EU) approving EU model clauses, and that they should take into account the principles articulated in the Schrems ruling (in particular relating to the scope of surveillance activities and judicial redress in the US) in exercising that authority.
Thus, for now, the DPAs will view transfers under the EU Model Clauses as remaining valid. A determination of invalidity will require the relevant DPA(s) to make a determination that a transfer is invalid.
As German data protection law does not generally require notification to the DPAs as to what export solution is being used, it is not clear that DPAs will imminently come to such a conclusion. However, if a complaint is made to a DPA about the legality of a transfer, or a breach occurs where data has been exported to the US, the subsequent DPA investigation might lead to such a determination.
- Consent remains a valid ground. Data subject consent can still legitimize data transfers to the US. However, the DPAs emphasize their general view that consent is only valid in narrow cases. The use of consent is doubted in particular where the data transfer is considered to be excessive, repeated or routine.
The German DPAs guidance adds to the uncertainty created by the the EU Article 29 Working Party Statement of 16 October 2015 and the Schleswig-Holstein DPA Position Paper of 14 October 2015.
Given that BCRs have been viewed as providing greater privacy protections than EU Model Clauses, the DPAs’ decision not to issue further approval for BCRs appears counter-productive. This position may suggest that if a German DPA is forced to make a determination as to whether a transfer under EU Model Clause is valid, there is a strong possibility that a similar conclusion — one of invalidity — will be reached.
Until there is further clarity or a determination regarding EU Model Clauses, businesses have little alternative but to put in place EU Model Clauses, and wait for further clarity or Safe Harbor II.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.