From today on German (and EU) DPA’s will no longer tolerate data transfer based on the Safe Harbor rules after the ECJ invalidated the Safe Harbor arrangement with the U.S. in its ruling of 6th of October 2015.
Current Status: No new solution available
Negotiators originally wanted to present a solution before the meeting of the Article 29 Working Party this week. However, Brussels and Washington did not yet manage to present a follow-up agreement for future data transfer between the EU and the U.S.
Current Option: Model Clauses
Without a new solution the tableau of options remains unchanged: Companies without approved Binding Corporate Rules (BCR) that wish to keep compliant with European data protection laws currently have only the option of using a set of the EU model clauses to safeguard the data transfer outside the EU/EEA. DPAs anounced that they will suspend the approval processes for new BCR temporarily until follow-up questions raised with the ECJ ruling will be solved. In exceptional cases consent from each individual may also be an option for the data transfer.
Limited durability of Model Clauses?
German DPAs tend to the legal oppinion that Model Clauses suffer the same lack of constitutionality as Safe Harbor did. Consequently, EU data protection bodies are discussing whether or not Model Clauses based solutions remain suitable means for the international data transfer, in particular for data transfer to the U.S. It might be the case that the durability of Model Clauses based solutions is limited as a late sequela of the Safe Harbor ruling.
What to do at the moment?
From today on, transferring identifyable data to the U.S. (without having already approved BCR in place) require a Model Clause based solution and a data transfer practice that is compliant with the Clauses, including appropriate technical and organizational measures:
- Make sure your oganization has validly implemented all required Model Clause based agreements and technical and organizational measures;
- Verify whether a transfer can be based on consent of the data subject; and
- Keep up with the latest discussions and developments regarding follow-up solutions for international data transfer.
DPAs suggest to either anonymize data or use better encryption technologies or process data on European territory instead of using Model Clauses.