The European Court of Justice handed down its Schrems decision invalidating the Safe Harbor mechanism on October 6, 2015. Since then, companies have been looking to the Data Protection Authorities (DPAs) of EU member states to see how the decision would be interpreted and enforced.
As many companies know, Germany is a multifaceted data-protection landscape. Germany maintains seventeen (17) independent DPAs. Sixteen of these DPAs are run by the German states (or Länder), and these state-run DPAs are primarily responsible for overseeing private companies. The remaining DPA is run by Germany’s federal government and has jurisdiction over federal public institutions and telecommunications companies.
On October 14, 2015, the DPA of the state of Schleswig-Holstein was the first of the German DPAs to issue a position paper on how it would interpret and enforce Schrems. It began by confirming that consistent with Schrems‘s holding, it views data transfers on the basis of Safe Harbor as illegal. Additionally, the Schleswig DPA took the position that the European Commission’s Model Clauses no longer provide a valid legal basis for transferring data into the US, because it read Schrems as containing a factual finding that any data transferred to the US is potentially subject to bulk collection and processing by US surveillance agencies. For the same reason, the Schleswig DPA suggested that consent generally cannot be used as a valid basis for data transfers. The Schleswig DPA suggested that it would begin investigating data exporters and could punish non-compliance with fines of up to €300,000.
On October 26, 2015, Germany’s national Conference of Data Protection Commissioners (“DSK”) followed with its own position paper on Schrems. The DSK is comprised of the heads of all 17 German DPAs, and its positions will influence DPA action. In its paper, the DSK again warned that because of Schrems, data transfers on the basis of Safe Harbor are now illegal. Further points of the DSK’s position can be summarized as follows:
- Model Clauses: the DSK describes the post-Schrems legality of data transfers based on Model Clauses as “questionable.” As a result, the DSK indicates that German DPAs can investigate data transfers on the basis of Model Clause contracts for compliance with the “adequate” and “essentially equivalent” protection requirements of Schrems.
- Binding Corporate Rules (“BCRs”): the DSK also views data transfers on the basis of BCRs as called into question by the Schrems decision. As a result, the DSK’s paper states that no “new permission” for data transfers on the basis of BCRs or Data Export Contracts will be given.
- Consent: the DSK states that consent may not be used as a basis for any sort of routinized data transfers, and will only be viewed as viable under “strict conditions.” Employee data may be transferred to the US only in exceptional circumstances.
The same day the DSK issued its position paper, the DPA of the German state of Hamburg followed with its own. The Hamburg DPA’s position differed from both the Schleswig DPA and the DSK:
- At the moment, subsidiaries of US companies located in Hamburg will be investigated only to determine whether they are transferring data on the sole basis of Safe Harbor.
- The Hamburg DPA agreed that Schrems called the viability of Model Clauses and BCRs into question. However, it will not prohibit data transfers on the basis of Model Clauses or BCRs until Schrems‘s effect on these alternatives has been “clarified.” The Hamburg DPA did not indicate who was responsible for clarifying, but could likely be referring to the anticipated announcement of the Article 29 Working Group on January 31, 2016.
- The Hamburg DPA indicated that, at present, it would issue cease-and-desist orders (as opposed to, e.g., fines) for compliance failures.
Alston & Bird is closely following all 17 German DPAs and will provide updates as additional DPAs indicate how they plan to interpret and enforce Schrems.