Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) of the state of Schleswig-Holstein (one of the German DPAs) issued a position paper where it states that, in its opinion:
- Given the mass surveillance conducted by U.S. intelligence agencies, data subjects may not be able to provide effective informed consent to the transfer of their data to the U.S., which means that such a legal basis may not be able to be used to legally transfer personal data from Europe to the U.S.;
- Model contractual clauses are not a reliable a tool to transfer personal data from Europe to the U.S. and data exporters should consider suspending such transfers under the model contracts. To reach this conclusion, the German DPA relied on the fact that the clauses require the data importer to represent that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. However, the German DPA agency reasoned, U.S. data importers are not in a position to give such a representation.
Following such reasoning could deduce that, some narrow exceptions aside, Binding Corporate Rules are the only way to provide for adequate protection for a transfer of personal data from the EU to the U.S.
Indeed, according to EU Directive of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, except for certain derogations itemized in the directive, personal data cannot be transferred outside the EU to a country which does not offer an adequate level of protection (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046). According to the EU Commission, the U.S., not being a country whose laws offer an adequate level of protection for personal data, the Safe Harbor program had been negotiated in 2000 between the U.S. authorities and the EU Commission to enable U.S. companies to legally import personal data from the EU. For various reasons explained in our previous blog (https://privacylaw.proskauer.com/2015/10/articles/european-union/us-eu-safe-harbor-invalidated-what-now/), the CJEU has invalidated the Safe Harbor program.
Before drawing hasty conclusions on the position taken by the DPA of the German state of Schleswig-Holstein, it is noteworthy that such DPA is known to be very strict in the protection of personal data. However, according to non-official sources, it seems that the position of this DPA may be shared by at least two other German DPAs (of Berlin and Breme) with regard to whether the model contractual clauses are a reliable export mechanism.
The German DPA’s position differs from the common press release that was issued on October 16th, 2015 by the Article 29 Working Party which stated that the Standard Contractual Clauses and Binding Corporate Rules can still be used, at least for the time being (https://privacylaw.proskauer.com/2015/10/articles/data-privacy-laws/article-29-working-party-issues-statement-following-landmark-cjeu-safe-harbor-ruling/).
Nevertheless, as mentioned by the Working Party, this will not prevent data protection authorities from investigating particular cases, for instance on the basis of complaints by data subjects, and from exercising their powers in order to protect individuals.