From now on, any transfer of personal data from Germany to the US should be regarded unlawful under German data protection law. This was stated by the German data protection authorities in a press release issued on 24 July 2013. The authorities point to the NSA’s vast access to personal data in the United States under the NSA PRISM program, as a key reason why they believe that an adequate level of data protection may no longer be assured in US companies, even if the EU-Standard Contractual Clauses are in place or the recipient in the US is Safe Harbor certified.
Usually, the conclusion of the EU-Standard Contractual Clauses or the data importer’s adherence to the Safe Harbor Principles in the US will allow the transfer of personal data from Germany to the US according to German data protection law. However, the data protection authorities argue that data importers in the US may no longer be able to adhere to the provisions of Safe Harbor and the EU-Standard Contractual Clauses as the NSA may, inevitably, have excessive access to this data. As a consequence, the German data protection authorities will - at least for the time being - no longer grant any kind of permissions (where these are required) allowing data transfers to countries outside of the European Union or the European Economic Area (including certain cloud services).
In practice the vast majority of data transfers do not require the permission of the data protection authorities, due to reliance on EU-Standard Contractual Clauses or adherence to the Safe Harbor-Principles, but the data protection authorities outline that these arrangements will also be evaluated more thoroughly by them in order to determine whether the data transfers have to be stopped in the future. In addition, the German data protection authorities have asked the European Commission to suspend their permission to transfer data to the United States under Safe Harbor.
This statement of the German data protection authorities is likely to have significant impact on the future lawfulness of data transfers to countries outside of the European Union and especially to the United States. Whether the German data protection authorities will in fact argue in future that such data transfers based on the EU-Standard Contractual Clauses or on the Safe Harbor Principles have to be stopped is not yet clear. Furthermore, it is questionable whether the German data protection authorities actually have the competence to stop data transfers to the US under the EU-Standard Contractual Clauses or the Safe Harbor Principles, as these transfers have been regarded as being lawful by the European Commission; this assessment by the EU Commission is generally binding for the German data protection authorities. In consequence, for the time being, existing data transfers to third countries should still be considered legal if they are based on the EU-Standard Contractual Clauses or the Safe Harbor Principles. Nonetheless, the German data protection authorities’ review of the EU-Standard Contractual Clauses and the Safe Harbor Principles should be monitored very carefully, as its results could trigger the unlawfulness of data transfers from Germany to the US in the future.
A separate English language version of the press release is available. This only provides a high level summary of the concerns of the data protection authorities with the full opinion appearing within the German language version.