The following is the second part in a two-part commentary (Part One available here) on a position paper issued by the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection ("Conference") following the recent decision of the Court of Justice of the European Union ("ECJ") invalidating the Safe Harbor decision of the EU Commission.
German DPAs Have The Power To Prohibit Or Suspend Data Flows Under EU Model Clauses
The Conference refers to Art. 4 of the EU Commission decisions regarding the EU Model Clauses (C2C and C2P). Art. 4 states that the national data protection authorities ("DPAs") may exercise their powers to prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data in cases where:
- it is established that the law in the third country imposes upon the data importer requirements to derogate from the applicable European data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of the EC Data Protection Directive to the extent those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable European data protection law and the EU Model Clauses; or
- a national DPA has established that the data importer or a sub-processor has not respected the obligations of the EU Model Clauses; or
- there is a substantial likelihood that the obligations of the EU Model Clauses not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects; or
- - in case of the EU Model Clauses C2C - the data importer refuses to cooperate with the national DPA or the data exporter refuses to enforce the EU Model Clauses against the data importer after receiving notice from the national DPA.
What Is New?
The national DPAs have always had the rights under Art. 4 of the EU Commission decisions regarding the EU Model Clauses, but we are not aware of any data transfer suspensions based on this audit right. The Conference has reminded all national DPAs on their rights and powers under Art. 4 and announced that the German DPAs will exercise those rights (when they become aware that a data controller has put in place EU Model Clauses).
In particular, the German DPAs will taken into consideration the ECJ's statement that (a) legislation permitting public authorities to have access on a generalized basis to the content of electronic communication is compromising the fundamental rights of private life as guaranteed by the Charter, and (b) legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to his personal data or to obtain the rectification or erasure of his personal data is compromising the fundamental rights to effective judicial protection as guaranteed by the Charter.
According to an informal conversation with a German DPA, the European DPAs intend to apply a two-prong assessment when EU Model Clauses are used: (1) Have EU Model Clauses effectively been put in place, and (2) - referring to the ECJ decision - is there legislation in the third country that permits access on a general basis to the content of electronic communication and/or legislation that does not provide for a possibility for an individual to pursue legal remedies to access his personal data or to have personal data rectified or erased, thereby compromising the fundamental rights of private life and of effective judicial protection. Any further details how this assessment on the third country legislation shall be carried out and what the essential criteria shall be, are yet to be determined and publicly announced by the European DPAs. Note that the German data protection authorities do not have a registry that identifies those data controllers that have put in place EU Model Clauses since there is no general notification requirements with the DPAs in Germany.