An early Position Paper of the German data protection authority of Schleswig-Holstein on the Schrems Judgment of the Court of Justice of the European Union (ECJ) gave little hope for practical alternatives to Safe Harbor. On October 26, all German data protection authorities published a more reasoned joint Statement that follows the approach taken by the Article 29 Working Party. It still includes some surprises in the details, but also offers hope for Model Contracts to be able to serve at least as an interim solution.
The Statement of the German data protection authorities (GDPA) starts with the unsurprising conclusion that data transfers cannot rely on the Safe Harbor Decision anymore. It continues to mention that the Schrems Judgment also puts data transfers under other instruments (like BCRs or Model Contracts) in question. The GDPAs announcement that they will not approve new BCRs or contractual solutions for data transfers in the US and have also requested that the German government allow data protection authorities to bring claims to courts (as required by the ECJ in the Schrems Judgment). The Statement of the GDPAs is short and obviously a compromise between differing views.
The first surprising conclusion relates to BCRs, which some companies were considering as a potential alternative solution in light of the Schrems Judgment. However, following today’s statement, GDPAs will not approve them anymore to the extent they are intended to cover data transfers to the US. Luckily, the authorities do not explicitly threaten to withdraw existing BCRs approvals. As a consequence, BCRs can still serve as an alternative solution if they are already approved or get approved by other member state authorities.
The conclusions drawn by the GDPAs on Model Contracts can only be understood in the context of the Schrems Judgment. The authorities say, that they will not approve individual contractual solutions for data transfers to the US anymore; however, the authorities do not say that standardized Model Contracts cannot be used anymore. This is an interesting finding as the use of Model Contracts in Germany does not require approval.
The approach becomes clearer when considered together with the GDPAs request that the German government introduce the right to bring cases to court, as requested by the ECJ. In the Judgment, the ECJ clearly states that the authorities can investigate cases based on an instrument sanctioned by decisions by the European Commission. However, the ECJ also states that only the ECJ can invalidate such decisions of the European Commission. In Germany, it would be procedurally difficult for a data protection authority to bring a claim to court that would lead to a request to the ECJ to verify the validity of decisions of the European Commission. The ECJ was aware that there are procedural problems in most member states to bring such claims, because only the data controllers or data subjects can usually bring such cases to court in defense against measures taken by data protection authorities. Therefore, the ECJ concluded in the Schrems Judgment that it would be the responsibility of the member states to introduce procedures to allow data protection authorities to bring such cases to court unilaterally.
Against this background, the thinking behind the Statement of the German data protection authorities becomes clearer. They will not approve individually negotiated contracts as a basis to provide adequate safeguards. However, they respect that only the ECJ can invalidate the European Commission decisions regarding Model Contracts and therefore, until such decision is made, the GDPAs will permit the continued use of them. This appears to be in line with the approach taken by the Article 29 Working Party which only stated that it would further investigate the use of Model Contracts, but accepted to respect them until the ECJ has made a determination on its validity. Accordingly, Model Contracts seem to be the best interim solution available.
The Statement of the GDPAs also deals with consent as a legal basis. While they question whether consent can be used for mass data transfers or in employment relationships; they accept that, in principle, consent can serve as a solution for data transfers to the US.