Update on Safe Harbor
The European data protection authorities (DPAs) have published a common position on October 16, the German DPAs on October 26, demonstrating their position regarding the Safe Harbor decision of the ECJ and how they want to deal with Safe Harbor and other instruments for data transfers. While it includes various political statements addressed to member states, the US and the European Commission to find solutions, it also deals with immediate actions.
In both position papers, the DPAs are clear that they consider data transfers solely on the basis of Safe Harbor to be no longer permitted. The DPAs reserve the right and announce to take actions against infringements, specific grace periods are not granted.
With respect to the other instruments for data transfers to the US (EU Model Clauses, Binding Corporate Rules), the European DPAs have only stated that they will evaluate those instruments until the end of January 2016 in order to reach a common position. The European DPAs have clarified that the general concerns raised by the ECJ against Safe Harbor, in general, should also be relevant for the other instruments. However, they have explicitly confirmed that data transfers on the basis of EU Model Clauses and Binding Corporate Rules should still be permissible until the end of January 2016.
The German DPAs though, in their paper take a stronger and surprising position. They reinforce the statement made already in July 2013 that German DPAs will not grant any approvals for data transfers to the US. According to German law, which differs from other EU countries, data transfers on the basis of Binding Corporate Rules (BCR) or on the basis of individual contractual solutions not solely based on the EU Model Clauses are subject to approval. We have asked one of the DPAs which confirmed that they in fact currently will not grant any approvals. They explained that the German DPAs so far have not reached a final position whether or not they will grant such approvals in the future and what conditions should apply to such approvals. Therefore, they need time until the end of January 2016 to come to more definite conclusions. Hence, we believe that it is currently unlikely that pending requests will be denied, but rather they will be until the DPAs have found a common position. They have not announced that they will revoke authorisations already granted.
Furthermore, the German DPAs, as a rule, consider consent may not be a valid basis for data transfers to the US if they are used repeatedly, as a mass instrument, or on a routine basis, or if consent is used vis-à-vis employees. Accordingly, e.g. consent used for standard internet services according to this opinion of the German DPAs might no longer be valid.
With respect to the instrument of EU Model Clauses for transfers of personal data to third countries, the German DPAs announced a review. However, those contracts in Germany are not subject to an approval requirement. Hence, data transfers on the basis of EU Model Clauses, at least for the time being, are still possible. The German DPAs do not have legal means to challenge these model clauses as such or have them reviewed by court. The only possibility to react for German DPAs will be if they come across EU Model Clauses used in a specific case. In our view, there should not be massive actions taken by German DPAs against data transfers based on EU Model Clauses until the end of January 2016. As a consequence, in our view at least for an interim period the EU Model Clauses remain the only viable instrument for data transfer to the US from Germany.