The data protection authority in Hamburg recently released a statement regarding the Safe-Harbor Decision of the European High Court of Justice.
The data protection authority stated that further data transfer based on the Safe-Harbor Principles are unlawful, because the decision doesn’t include a transitional period. The European and German data protection authorities will further review the legal implications on data transfers in the USA based on EC Model Clauses or Binding Corporate Rules.
To ensure the implementation of the Safe-Harbor decision, the commissioner will take various measures. In the first step, the data protection authority in Hamburg will identify companies which probably transfer personal data to the USA on the basis of a Safe-Harbor arrangement and will notify them about the Safe-Harbor decision and its impacts. In the second step, these companies will be asked to provide information regarding any data transfer in the USA and the legal basis for the transmission. Further measures (such as prohibition orders and penalties) to stop unlawful data transfers based on the Safe-Harbor arrangement will be taken from February 2016.
The EC Model Clauses and Binding Corporate Rules are considered to be a valid basis for data transfers as long as the European and German data protection authorities don’t come to other conclusion.
The data protection authority further states, that in case that the European commission should come to the conclusion that the USA can ensure an adequate level of data protection, the decision will be binding for all EU member states. No national data protection authorities shall be able to suspend the decision. The only possible legal remedy of data protection authorities is the procedure provided for in Article 28 Section 3 95/46/EG. Since the procedure hasn’t been implemented by German Law yet, the data protection authority requires from German legislator an urgent decision.