Three weeks after the CJEU invalidated the EU–U.S. Safe Harbor Program in its ground-ruling judgment, as reported in our previous Alert, German privacy officials issued their long-awaited position paper yesterday. The position paper explains their analysis of the judgment and its consequences for data transfers to the U.S.
In its position paper, the committee destroyed the remaining hope of many companies that data transfers could simply continue to take place on the basis of the existing alternative data transfer mechanisms as provided for under EU data protection law (e.g., on basis of binding corporate rules or standard contractual clauses).
Instead, the authorities said that in light of the CJEU decision, the validity of such alternative data transfer mechanisms is questionable. As a consequence, the German authorities will
- prohibit any data transfer to the U.S. that is still made on the basis of Safe Harbor;
- currently not grant any approvals for data transfers to the U.S. on the basis of binding corporate rules; and
- closely examine standard contractual clauses on the basis of the principles laid out by the CJEU in its Safe Harbor decision which would in particular include the court’s criticizing statements regarding (i) public authorities having general access to the content of electronic communications and (ii) insufficient possibility for individuals to pursue legal remedies to access their personal data.
The position paper also refers to the consent of individuals whose data are affected and explains that this might, under narrow circumstances, in fact serve as justification for the transfer of the individuals’ data to the U.S. However, privacy officials also stressed that consent would not be sufficient for data transfers which are made “repeatedly, massively or routinely.”
The position paper shows that companies that are transferring customer, HR, or other personal data from Germany or the EU/EEA to an affiliate or non-affiliate in the U.S. should urgently review and, possibly, redefine the legal basis of their data transfers to the U.S. Otherwise, they will encounter a high risk of becoming subject to audit procedures and, ultimately, to injunctive orders and/or administrative fines. To this extent, some data protection authorities in Germany have already started approaching companies and enquiring about the legal basis of their data transfers to the U.S.