Position Paper of the German Data Protection Conference On October 26, 2015, the Data Protection Conference of the German State Data Protection Authorities and the German Federal Commissioner for Data Protection ("Conference") issued a position paper following the recent decision of the Court of Justice of the European Union ("ECJ") invalidating the Safe Harbor decision of the EU Commission. Data transfers solely based on Safe Harbor will be prohibited The Conference states that the German data protection authorities (“DPAs”) will prohibit transfers to the U.S. solely based on Safe-Harbor if they become aware of such transfers. German data controllers are generally not required to notify the DPAs about any data flow and on which basis (such as Safe Harbor, EU Model Clauses, BCRs or other derogations such as consent or performance of contract) data is transferred to third countries. Hence, the DPAs do not have a registry that tells them on which basis a certain data controller transfers data to a third country. It is very unlikely that German data controllers will now receive a letter out of the blue from a DPA saying that certain data transfers are prohibited. The DPAs can become aware of the transfer basis due to a complaint raised by a data subject or the data protection officer or in the course of a random audit. In those circumstances, it is likely that a DPA will issue an order prohibiting the transfer based on Safe Harbor unless the data controller can prove an alternative basis. No new BCR approval by German DPAs The Conference further states that the DPAs will not approve any new BCRs or any ad-hoc data export agreements. Ad-hoc data export agreements are different to EU Model Clauses: using EU Model Clauses does not require the approval of the DPO whereas using an ad-hoc data export agreement as adequate safeguards for data transfers does require approval. The Conference does not say that any BCRs or ad-hoc data export agreements that had been approved in the past are not invalid anymore. Consent is no feasible option Also, the Conference states that consent can only under strict conditions serve as a legal basis for data transfers to third countries. In any event, consent cannot be used for repetitive, mass or routine data transfers to third countries. Compliance with EU Model Clauses under scrutiny To be clear: There is no statement by the Conference that EU Model Clauses are "per se" invalid and do "per se" not provide for an adequate level of data protection. However, the Conference refers to Art. 4 of the EU Commission decisions regarding EU Model Clauses (C2C and C2P). Art. 4 states that the national DPAs may exercise their powers to prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data in cases where: (a) it is established that the law in the third country imposes upon the data importer requirements to derogate from the applicable European data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of the EC Data Protection Directive  to the extent those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable European data protection law and the EU Model Clauses; or (b) a national DPA has established that the data importer or a sub-processor has not respected the obligations of the EU Model Clauses; or (c) there is a substantial likelihood that the obligations of the EU Model Clauses not being or will not be complied with and the continuing transfer would create an imminent risk of grave harm to the data subjects; or (d) - in case of the EU Model Clauses C2C - the data importer refuses to cooperate with the national DPA or the data exporter refuses to enforce the EU Model Clauses against the data importer after receiving notice from the national DPA. What is new with this statement? The national DPAs have always had the rights under Art. 4 of the EU Commission decisions regarding the EU Model Clauses, but we are not aware of any data transfer suspensions by German DPAs based on this audit right. The Conference has reminded all national DPAs on their rights and powers under Art. 4 and announced that the German DPAs will exercise those rights (when they become aware that a data controller has put in place EU Model Clauses). In particular, the German DPAs will taken into consideration the ECJ's statement that (a) legislation permitting public authorities to have access on a generalized basis to the content of electronic communication is compromising the fundamental rights of private life as guaranteed by the Charter, and (b) legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to his personal data or to obtain the rectification or erasure of his personal data is compromising the fundamental rights to effective judicial protection as guaranteed by the Charter. According to an informal conversation with a German DPA, the European DPAs intend to apply a two-prong assessment when EU Model Clauses are used: (1) Have EU Model Clauses effectively been put in place, and (2) - referring to the ECJ decision - is there legislation in the third country that permits access on a general basis to the content of electronic communication and/or legislation that does not provide for a possibility for an individual to pursue legal remedies to access his personal data or to have personal data rectified or erased, thereby compromising the fundamental rights of private life and of effective judicial protection. Any further details how this assessment on the third country legislation shall be carried out and what the essential criteria shall be, are yet to be determined and publicly announced by the European DPAs. Note again that the German data protection authorities do not have a registry that identifies those data controllers that have put in place EU Model Clauses since there is no general notification requirements with the DPAs in Germany. Conclusion Interestingly, the Conference did not throw out any threats that the German DPAs will impose fines upon companies that transfer data to third countries without a valid legal basis. Unfortunately, the Conference did not provide any guidance or feasible alternatives for multinational companies to transfer personal data to the US. The uncertainty since October 6 still remains and may have even increased, not only by this position paper but also by a statement of the DPA in Hamburg issued shortly after stating that the DPA in Hamburg will not raise objections against data transfers based on EU Model Clauses for the time being.  Art. 13 (1) of the EC Data Protection Directive: "Exemptions and restrictions: Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters; (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e); (g) the protection of the data subject or of the rights and freedoms of others." For more information, please contact Julia Wendler.