On 13 May 2016, the German Bundesrat (representing the sixteen Länder) in a resolution (BR Drs. 171/16 (B) pdf, German) prompted the Federal Government to introduce a new law for a right of action by data protection authorities against so-called adequacy decisions of the EU Commission for third-country transfers of personal data, as formerly Safe Harbor and now the EU-U.S. Privacy Shield (see my earlier post, German). This demand originated in particular from the judgment of the ECJ in “Schrems” (C-362/14) in October 2015.
In a statement (pdf, German) from July 15, 2016 the Federal Government now takes a stand on this resolution of the Bundesrat.
The Ministry of the Interior indicates that it is already currently working intensively on the adaptation of the national data protection law to the General Data Protection Regulation (GDPR). The new national data protection law shall, in accordance to the provision of Art. 58 para 5 GDPR, also provide legal remedies for data protection authorities.
However, the Ministry of the Interior does not directly mention the possibility of a judicial remedy against an adequacy decision of the European Commission but only refers to Art. 58 para 5 GDPR. Art. 58 para 5 GDPR also does not refer to the legal challenge of adequacy decisions of the European Commission as such, but to „infringements of this Regulation“.
This refers to a transfer of data to a third country as such that is not in accordance with the provisions of the GDPR, for example not based on a decision on adequacy or for example standard contractual clauses. The binding adequacy decision of the European Commission’s decision is, at least in my interpretation, not the subject of Art. 58 para 5 GDPR, but the processing of personal data as such which could be illegal and therefore challenged. Of course, the basis for this transfer (like an adequacy decision) could then also be assessed by the ECJ as part of a the general assessment of lawfulness of the transfer.
This would also be in line with the ECJ case law, as the Court has emphasized (margin 61 of Schrems judgment, C-362 /14)): „the Court alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly“.
The Federal Government also does not want to grant data protection authorities the right to launch an action for annulment before the ECJ in accordance with Art. 263 TFEU on behalf of the Federal Republic of Germany. This is mainly because the data protection supervisory authorities are and must be independent.