The conference of German Data Protection Officers of the Federal Government and Federal States (DSK) has issued its position on the current post Safe Harbor environment. A few of the 14 points listed by the DSK stand out and are of particular practical relevance: 

  • German data protection authorities (DPAs) will stop any data transfers to the USA where they are aware that they are based only on Safe Harbor.
  • DPAs will not grant any new authorizations for transfers to the USA on the basis of BCRs or data export agreements at least until the end of January 2016.
  • Companies are requested to design their transfers in compliance with data protection requirements without further delay.
  • Consent remains a viable option to justify transfers only under restricted circumstances (not for transfers in a repeated manner, in mass quantities or routinely).
  • Employee consent can justify the transfer of HR data to the USA only in exceptional cases.
  • DPAs urge the EU Commission to push in its negotiations with US Government for adequate safeguards that implement the criteria of the Safe Harbor ruling, in particular regarding judicial relief, material data protection rights and the principle of proportionality. 

The point about authorizations for transfers based on BCRs and data export agreements has created some queries and confusion. A prudent reading suggests that, in principle, the instruments of BCRs and EU Model clauses remain viable means to ensure adequate protection. However, the DPAs reserve the right to analyse existing transfers closely, and will put on hold the approval process for new BCR filings in regard to US transfers. As for data export agreements, no prior authorization or notification with the authorities has been required when using the EU Model clauses, whereas this has been the case for specifically designed ("bespoke") data export agreements. The DPAs will no longer issue approvals for such bespoke data export agreements for the time being.