The German Data Protection Authorities (in total 17 for the private sector) have today published their position (German) on the consequences for transfers of personal data to the USA after the Court of Justice of the European Union (CJEU) recently struck down the Safe Harbor decision of the European Commission (Case C-362/14).
Not an easy task
According to recent media reports (https://www.tagesschau.de/inland/safe-harbor-105.html, in German), the process of finding a common approach was not an easy task. Not all Data Protection Commissioners seem to share the same view on the legal conclusions and consequences for businesses that have to be drawn from the court’s judgment. So the position now published seems to reflect only the lowest common denominator. On 14th October for example, the Data Protection Authority of Schleswig-Holstein (known for its strict interpretation of the law) published its own assessment of the judgment (available in English) and concluded that “a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted”.
The official position
I will hereinafter summarize the position of the German authorities:
Just like already stated by the Article 29 Working Party in its statement (PDF), the German authorities highlight that data transfers to the USA are unlawful if they are solely based on the Safe Harbor decision.
The German authorities further clarify that they will prohibit any data transfer based on Safe Harbor they gain knowledge of. The watchdogs will base the exercise of their powers under Article 4 of the respective decisions by the European Commission for standard contractual clauses (2004/915/EC and 2010/87/EC) on the principles formulated by the CJEU in margin numbers 94 and 95 of its judgment. This refers especially to the finding of the CJEU that legislation in the European Union, permitting public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter of Fundamental Rights.
At the moment, the German authorities will not grant new approvals for data transfers on the basis of Binding Corporate Rules (BCR) or contracts to export personal data to the USA.
Consent may be an acceptable basis for data transfers, according to the authorities. But only wihtin narrow limits. In general, the respective data transfer may not take place repeatedly or as a matter of routine.
The German authorities ask the national legislator to provide the authorities with their own legal remedies enabling them to put forward their objection against an adequacy decision by the European Commission before the national courts (see margin number 65 of the judgment).
Furthermore the authorities request the European Commission to amend the current standard contractual clauses in light of the CJEU’s decision in a timely manner. The deadline set by the Article 29 Working Party (31st January 2016) is welcomed by the German watchdogs.
Interestingly, the German authorities also call on the German government to directly contact the US government and to press for adherence to an adequate level of protection of the fundamental rights of privacy and data protection.
As already mentioned this position only forms the lowest common denominator and is not binding. Views in the different federal states may therefore differ. To recall one of the central points of the CJEU’s decision, Data Protection Authorities are responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of such data. It can therefore not be ruled out that we might see differing implementations of the judgment within Germany. The authorities also highlight the fact of independence in their position.