• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

A Busy Month for German Data Protection

November 11, 2015 By Daniel Felz

The European Court of Justice handed down its Schrems decision invalidating the Safe Harbor mechanism on October 6, 2015.  Since then, companies have been looking to the Data Protection Authorities (DPAs) of EU member states to see how the decision would be interpreted and enforced.

As many companies know, Germany is a multifaceted data-protection landscape.  Germany maintains seventeen (17) independent DPAs.  Sixteen of these DPAs are run by the German states (or Länder), and these state-run DPAs are primarily responsible for overseeing private companies.  The remaining DPA is run by Germany’s federal government and has jurisdiction over federal public institutions and telecommunications companies.

On October 14, 2015, the DPA of the state of Schleswig-Holstein was the first of the German DPAs to issue a position paper on how it would interpret and enforce Schrems.  It began by confirming that consistent with Schrems‘s holding, it views data transfers on the basis of Safe Harbor as illegal.  Additionally, the Schleswig DPA took the position that the European Commission’s Model Clauses no longer provide a valid legal basis for transferring data into the US, because it read Schrems as containing a factual finding that any data transferred to the US is potentially subject to bulk collection and processing by US surveillance agencies.  For the same reason, the Schleswig DPA suggested that consent generally cannot be used as a valid basis for data transfers.  The Schleswig DPA suggested that it would begin investigating data exporters and could punish non-compliance with fines of up to €300,000.

On October 26, 2015, Germany’s national Conference of Data Protection Commissioners (“DSK”) followed with its own position paper on Schrems.  The DSK is comprised of the heads of all 17 German DPAs, and its positions will influence DPA action.  In its paper, the DSK again warned that because of Schrems, data transfers on the basis of Safe Harbor are now illegal.  Further points of the DSK’s position can be summarized as follows:

  • Model Clauses: the DSK describes the post-Schrems legality of data transfers based on Model Clauses as “questionable.”  As a result, the DSK indicates that German DPAs can investigate data transfers on the basis of Model Clause contracts for compliance with the “adequate” and “essentially equivalent” protection requirements of Schrems.
  • Binding Corporate Rules (“BCRs”): the DSK also views data transfers on the basis of BCRs as called into question by the Schrems decision.  As a result, the DSK’s paper states that no “new permission” for data transfers on the basis of BCRs or Data Export Contracts will be given.
  • Consent: the DSK states that consent may not be used as a basis for any sort of routinized data transfers, and will only be viewed as viable under “strict conditions.”  Employee data may be transferred to the US only in exceptional circumstances.

The same day the DSK issued its position paper, the DPA of the German state of Hamburg followed with its own.  The Hamburg DPA’s position differed from both the Schleswig DPA and the DSK:

  • At the moment, subsidiaries of US companies located in Hamburg will be investigated only to determine whether they are transferring data on the sole basis of Safe Harbor.
  • The Hamburg DPA agreed that Schrems called the viability of Model Clauses and BCRs into question.  However, it will not prohibit data transfers on the basis of Model Clauses or BCRs until Schrems‘s effect on these alternatives has been “clarified.”  The Hamburg DPA did not indicate who was responsible for clarifying, but could likely be referring to the anticipated announcement of the Article 29 Working Group on January 31, 2016.
  • The Hamburg DPA indicated that, at present, it would issue cease-and-desist orders (as opposed to, e.g., fines) for compliance failures.

Alston & Bird is closely following all 17 German DPAs and will provide updates as additional DPAs indicate how they plan to interpret and enforce Schrems.

Filed Under: Data Protection, Enforcement, International, Privacy, Regulation Tagged With: Cross-border, Data Protection Authorities, EU Data Protection, European Union (EU), Germany, Max Schrems decision, Regulatory Enforcement

About Daniel Felz

Daniel Felz is a senior associate with Alston & Bird’s Privacy & Data Security Group. Dan leverages his extensive international experience to advise clients on global privacy, cybersecurity, technology, and adversarial matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • President Biden Issues Executive Order on America’s Supply Chains
  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.