On October 26, 2015, the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection ("Conference") issued a position paper following the recent decision of the Court of Justice of the European Union ("ECJ") invalidating the Safe Harbor decision of the EU Commission.
Data Transfers Solely Based On Safe Harbor Will Be Prohibited
The Conference states that the German data protection authorities (“DPAs”) will prohibit transfers to the U.S solely based on Safe-Harbor if they become aware of such transfers. German data controllers are generally not required to notify the DPAs about any data flow and on which basis (such as Safe Harbor, EU Model Clauses, BCRs or other derogations such as consent or performance of contract) data is transferred to third countries. Hence, the DPAs do not have a registry that tells them on which basis a certain data controller transfers data to a third country. It is very unlikely that German data controllers will now receive a letter out of the blue from a DPA saying that certain data transfers are prohibited. The DPAs can become aware of the transfer basis due to a complaint raised by a data subject or the data protection officer or in the course of a random audit. In those circumstances, it is likely that a DPA will issue an order prohibiting the transfer based on Safe Harbor unless the data controller can prove an alternative basis.
No New BCR Approval By German DPAs
The Conference further states that the DPAs will not approve any new BCRs or any ad-hoc data export agreements. Ad-hoc data export agreements are different to EU Model Clauses: using EU Model Clauses does not require the approval of the DPO whereas using an ad-hoc data export agreement as adequate safeguards for data transfers does require approval. The Conference does not say that any BCRs or ad-hoc data export agreements that had been approved in the past are not invalid anymore.
Consent Is Rarely Feasible Option
Also, the Conference states that consent can only under strict conditions serve as a legal basis for data transfers to third countries. In any event, consent cannot be used for repetitive, mass or routine data transfers to third countries.
Compliance With EU Model Clauses Under Scrutiny
As concerns the EU Model Clauses, the Conference announces that it will exercise its audit rights under Art. 4 of the Commission decisions regarding the EU Model Clauses (C2C and C2P), in particular the principles stated by the ECJ. Art. 4 allows the European DPAs to suspend data transfers based on EU Model Clauses under certain circumstances. To be clear: There is no statement from the German DPAs that EU Model Clauses are "per se" invalid and do "per se" not provide for an adequate level of data protection. But it is unclear how they will exercise this audit right (see our Article “Position Paper of the German Data Protection Conference – Part 2").
Interestingly, the Conference did not throw out any threats that the DPAs will impose fines upon companies that transfer data to third countries without a valid legal basis.
Unfortunately, the Conference did not provide any guidance or feasible alternatives for multinational companies to transfer personal data to the US. The uncertainty since October 6 still remains and may have even increased, not only by this position paper but also by a statement of the DPA in Hamburg issued shortly after stating that the DPA in Hamburg will not raise objections against data transfers based on EU Model Clauses for the time being.