A bit over a month after the Safe Harbor judgement of the Court of Justice of the European Union (CJEU, C-362/14), the Article 29 Working Party, the Conference of the German Federal and States Data Protection Commissioners (DSK) as well as several state data protection authorities have published statements on the ruling. The European Commission has also given its first written statement. We summarize the most important conclusions and the current state of debate with a focus on Germany.
Short summary of the current status:
- Data transfers based on Safe Harbor are unlawful; there is no uniform grace period in Germany to switch to alternative transfer tools.
- German data protection authorities currently do not approve data transfers based on new ad-hoc-contracts or new Binding Corporate Rules (BCRs).
- Data transfers based on standard contractual clauses (SCCs) cannot be prohibited in general by the authorities.
Grace period for data transfers based on Safe Harbor?
While it is undisputed that data transfers to the US cannot be based on Safe Harbor anymore, it is unclear whether and to which extent an official grace period is granted by the data protection authorities to give companies time to switch to alternative transfer tools. In its statement on the CJEU’s decision, the Article 29 Working Party set out that the national data protection authorities will consider coordinated enforcement measures following end of January 2016 if there is no sufficient improvement of the legal framework. Authorities in many European member states understand this statement as a general grace period. However, in its position paper the German DSK made clear that the authorities will prohibit any data transfers still based on Safe Harbor they become aware of (No. 5 of the DSK’s position paper). In his last week’s press release, the Hamburg Commissioner for Data Protection and Freedom of Information deviated from this rather strict position and announced not to take any legal enforcement measures before February 2016. It is not clear yet if other German data protection authorities will follow this approach.
Companies that are planning to change from Safe Harbor to alternative transfer tools should take into consideration that, according to the DSK’s position paper, the German data protection authorities will not approve any new ad-hoc-contracts and BCRs (No. 7 of the DSK’s position paper). Furthermore, the respective opinion of the data protection authority of Rhineland-Palatinate seems to indicate that it will from now on require a prior authorization for data transfers to the US even if they are based on SCCs.
Will there be a Safe Harbor II?
The CJEU did not completely discard the Safe Harbor model. However, Safe Harbor II would require the Commission’s decision on the adequate level of protection to actually refer to the data protection standard in the US (i.e. also include public authorities’ access rights and legal protection mechanisms available) even if this standard was limited to certified companies only. Considering the reactions received from the US and the LIBE-Committee of the European Parliament, it seems rather questionable whether the Commission will be able to meet its announced three month deadline to set up Safe Harbor II (No. 4 of the statement of the Commission).
Consequences for other adequacy decisions
With regard to other adequacy decisions, the Commission announced to change the provisions that are contained in all adequacy decisions and which limit the national data protection authorities’ supervisory rights. Furthermore, regular audits of the decisions taken shall be carried out in the future (No. 3 of the opinion of the Commission). Therefore, it is likely that security-related legislation of other states outside of the EU/EEA will also come under strict scrutiny in the future.
Are data transfers on the basis of alternative transfer tools (especially SCCs) still possible?
The Article 29 Working Party announced to provide their assessment of the consequences of the Safe Harbor decision on SCCs and BCRs until the end of January 2016. In case such assessment may come to the conclusion that those alternative tools are not sufficient in view of the court’s requirements and the legal situation will not change, the Article 29 Working Party already threatened businesses with coordinated enforcement measures by the national authorities. In Germany, shortly after the judgement some authorities claimed that they consider the SCCs generally insufficient for a data transfer to the US (such as e.g. theauthority of Schleswig-Holstein, under No. 4). However, taking the DSK’s position paper into account, this seems to refer only to the authorities’ general power to review the legality of individual transfers which is reiterated by Article 4 of the Commission’s decisions on the different sets of SCCs. In conducting such reviews, the German authorities stated that they will consider the general principles referred to by the CJEU in no. 94 and 95 of the decision (No. 4 and 6 of the position paper).
With respect to the SCCs, the Commission pointed out that the decisions on SCCs are binding for all member states with the effect that national data protection authorities are not allowed to prohibit data transfers based on the mere allegation that they do not provide sufficient guaranties. However, the Commission also stresses that it remains the data exporter’s obligation to review the level of protection of personal data at the data importer and implement additional measures to ensure sufficient protection (No. 2.1 and 2.4 of the Commission’s statement). Regarding possible additional measures the Commission lists technical, organisational, legal and business model related measures as well as a suspension of the data transfer or even a termination of the contract. Compliance with the above could be reviewed by the national authorities on a case-by-case basis (No. 2.4 of the Commission’sstatement).
As a consequence, it is relevant which legal framework (laws and practical application) applies to the data importer and whether such framework is in line with the criteria set out by theCJEU. Data importers that conclude SCCs are obliged to inform the data exporter about any legal provisions which might exclude the data importer’s ability to fulfil its contractual obligations under the SCCs (e.g. Clause 5 lit. b and footnote 2 of the SCCs for data processors). Data importers are only exempted from this obligation insofar as mandatory legal requirements of the national legislation apply which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC. Amongst others those interests include safeguarding national and public security. Therefore, data exporters and data protection authorities would have to take into account whether the particular data importer is complying with his obligations stated above and whether he is subject to a legal framework that is not in line with the requirements set out by the CJEU.