German Data Protection Authorities Limit Use Of Alternative Data Transfer Mechanisms In Light Of Safe Harbor Decision

In the weeks since the October 6, 2015, Court of Justice of the European Union decision ("CJEU Decision") that invalidated the EU-U.S. Safe Harbor framework, companies have been faced with the quandary of establishing legal alternatives for transferring personal data from Europe to the U.S. We have discussed alternative data transfer mechanisms such as standard contractual clauses (SCCs, also called model clauses) and binding corporate rules (BCRs). Both mechanisms were implicitly endorsed by the European Commission, first in an October 6 press release, and then in an October 16 statement by the European Comission Article 29 Working Party. Not all European countries, however, have taken this position.

On Monday, October 26, a group of German data protection authorities ("German DPAs") representing the federal government and 16 German states issued a 14-point position paper (available in German here) following the CJEU Decision. The most significant findings include:

Validity of BCRs and SCCs called into question. Taking a contrary position to the European Commission, the German DPAs have cast doubt on the validity of BCRs and SCCs in light of the CJEU Decision. This follows the findings of a position paper published by the ULD, the data protection authority in the German state of Schleswig-Holstein. The ULD position paper concluded that transfers of personal data between German data exporters and U.S. data importers on the basis of SCCs are no longer permitted because, according to the CJEU Decision, U.S. contractors cannot comply with their contractual obligations given current U.S. law. The rest of the German DPAs appear to have embraced this position. No new authorizations of BCRs or data export contracts for personal data transfers to the U.S. At this time, the German DPAs will not issue any new authorizations for transfers of personal data from Germany into the U.S. that rely on BCRs or "data export contracts." What is unclear is whether existing BCRs and data export agreements that have already been approved will similarly be invalidated. It is also unclear for how long the German DPAs plan to hold this position. Data transfers from Germany to U.S. based solely on Safe Harbor are invalid. Following the CJEU Decision, the German DPAs have declared that any transfer of German personal data to the U.S. relying solely on Safe Harbor approval is now invalid. Individual consent to transfer of personal data may be used sparingly. The German...