Off the record we received some additional information on the further approach in terms of Safe Harbor:
MEETING ON FRIDAY
German data protection authorities have scheduled a meeting on Friday where they will discuss how to proceed in Germany in implementing the decision of the European Court of Justice. The outcomes of that meeting will then be coordinated with the European data protection authorities. Until that occurs, no joint press release from data protection authorities in Germany should be expected.
In a German data protection authority’s off-the-record view, the invalidity of Safe Harbor will apply from now on (ex nunc) and not retroactively (ex tunc). This is in line with paragraph 52 of the European Court of Justice Decision (C-362/14) and good news for German companies.
But the same data protection authority also indicated that a grace period to shift from Safe Harbor arrangements to the EC Model Clauses might not be granted. Although this off-the-record statement is, of course, not official and not coordinated with other data protection authorities, we highly recommend entering into EC Model Contracts with service providers as soon as possible, because data protection authorities are entitled to order suspension of services under Safe Harbor with immediate effect.
Bremen’s data protection authority already stated in an official press release that it expects all companies seated in Bremen to react immediately (https://ssl.bremen.de/datenschutz/sixcms/media.php/13/Pressemitteilung+Safe+Harbor.docx.pdf).
EC MODEL CLAUSES
We have heard off the record from at least one DPA that in their view, because it will be possible for US governmental organizations, such as the NSA, to access personal data of European individuals in the US, putting EC Model Clauses in place will still not ensure an adequate level of data protection. Nevertheless, absent a court decision of invalidity, they wouldn’t prohibit the processing and/or transfer of personal data covered by EC Model Clauses for the time being.
DECLARATION OF CONSENT LESS ATTRACTIVE
It is already very challenging to obtain getting a declaration of consent of each affected person. The European Court of Justice decision may make full compliance with requirements for obtaining valid consent UNDER GERMAN LAW even more difficult. The transferring party must not only inform about the categories of data, the receiving party, purposes of processing, right to rejection and inadequate level of data protection in the US, but also about missing enforcement and deletion, blocking and erasure rights of the affected individual. –
In summary, as EC Model Clauses have not been declared to be invalid, entering into EC approved Model Clauses is currently the safest way to structure data processing and/or data transmissions in the US of personal data from Germany.