Even before the ECJ’s Schrems decision invalidated Safe Harbor, the European Commission had begun working closely with US negotiators to craft what has become the U.S.-EU Privacy Shield. While EU privacy leaders have noted that Privacy Shield represents important improvements in data protection, some German DPAs have voiced a desire to challenge Privacy Shield in court. This desire is not necessarily uniform; Germany has 16 state and one federal DPA, and their approaches to particular issues can diverge. Nonetheless, as we reported last year, at least one German DPA has taken the position that the Schrems ruling made all data transfers to the US illegal, and the head of the DPA of Hamburg publicly stated in recent interviews that Privacy Shield should be evaluated through litigation.
Shortly after Safe Harbor was invalidated, the German DPAs—anticipating the passage of Privacy Shield—issued a joint position paper “call[ing] upon lawmakers to provide them with the power to engage in legal proceedings.” Lawmakers did not immediately respond, and the State of Hamburg therefore proposed legislation granting German DPAs statutory rights of action to challenge Privacy Shield. The process appears to have stalled, however, with the result that German DPAs will likely not receive direct-challenge rights this year. The following presents a brief summary of the events to date:
1. The Hamburg Proposal: On April 4, 2016, the State of Hamburg introduced a draft resolution to the German Parlament’s Upper House (Bundesrat). Hamburg proposed asking the German government to “promptly introduce a bill that grants the Federal and State Data Protection Agencies an express statutory right to bring suit” by which German DPAs could challenge Commission adequacy decisions such as Privacy Shield. The State of Hamburg justified its request with reference to paragraph 65 of the ECJ’s Schrems decision, which states:
[W]here the national supervisory authority considers that the objections advanced by the person who has lodged  a claim … are well founded, that authority must … be able to engage in legal proceedings.
The State of Hamburg further cited passages in the Schrems decision to argue that it was “incumbent upon the national legislature to provide for legal remedies” enabling DPAs to challenge Commission decisions, because only through such suits could national courts refer such challenges to the ECJ.
2. The Upper House Resolution: On May 13, 2016, the Upper House adopted the State of Hamburg’s proposed resolution. Relying on Hamburg’s cites to the Schrems decision, the Upper House proposed adding a new § 38b to Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz, or “BDSG”). The draft § 38b BDSG would have permitted German DPAs investigating data-subject complaints to bring a declaratory judgment action challenging Commission adequacy decisions directly before Germany’s Supreme Administrative Court (SAC). Such actions would have permitted the SAC to issue a preliminary declaration that Commission adequacy decisions were invalid, and—since the SAC is a court of last resort—would have procedurally required the SAC to refer the matter to the ECJ for final resolution.
The Upper House’s resolution contained an additional point that went beyond Hamburg’s original proposal: it asked the German government to design a legal mechanism by which DPAs could challenge EU acts on behalf of the German state. As an example, the Upper House suggested DPAs could be given rights to bring actions in EU courts on behalf of Germany to annul Commission adequacy decisions. Because annulment actions are usually only brought by the appropriate cabinet ministry within EU member state governments, permitting independent agencies like DPAs to bring them would have required express statutory authorization.
3. The German Government’s Answer: After being passed, the Upper House’s resolution was forwarded to the German government for review. Just over two weeks ago, the German Interior Ministry (Bundesministerium des Innern, or “BMI”) issued a written response in which it declined to grant DPAs the rights they sought—at least for the moment. Instead, BMI stated that it was working “intensively” on legislation to bring German data-protection law into compliance with the forthcoming General Data Protection Regulation (GDPR). As part of this, BMI promised that its legislation would implement Article 58(5) GDPR. Article 58(5) GDPR provides:
Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
BMI stated that it will provide “remedies for DPAs” and that in doing so, “applicable ECJ jurisprudence will be taken into account.” It also noted that – as requested by the Upper House – statutory DPA remedies will be available “promptly.”
Notably, BMI declined to permit DPAs to bring annulment actions against Privacy Shield on behalf of the German state. In BMI’s view, fully independent agencies such as DPAs were not candidates to take positions on the state’s behalf.
Lastly, BMI stated it stood in “close contact” with German DPAs—and had presented its plans for GDPR implementing legislation to DPAs at the end of May. According to BMI, the German DPAs reacted “positively” to both the content and the passage timeline that BMI proposed.
For businesses hoping to take advantage of Privacy Shield, several important points come out of the above summary:
a) German DPAs are unlikely to receive statutory rights of action before the end of this year. According to BMI, German DPAs’ statutory rights of action will be part of comprehensive GDPR-facing amendments to German data-protection laws. Drafting and finalizing provisions that will substantially change decades of German data-protection practice will require significant work by both BMI and the German legislature. At the earliest, these comprehensive amendments are not expected to appear before the end of this year. Also, the GDPR does not enter into force until May 25, 2018, so the German government has no immediate pressure to move data-protection changes to the fore. If the amendments containing DPA rights of action do not pass this year, their passage before 2018 becomes unlikely, because 2017 will be a year of congressional elections.
b) The scope of DPA rights of action is yet to be determined. BMI has not promised to grant German DPAs a right to challenge Privacy Shield, but has instead stated that it will implement Article 58(5) GDPR. This provision only requires Germany to permit DPAs to bring suits “as appropriate” to enforce GDPR provisions. It is possible that the German legislature grants DPAs limited rights to challenge the legality of particular transfers to the US, instead of a general right to challenge Privacy Shield in toto. Granting 17 independent state and federal agencies the right to directly challenge EU Commission decisions may raise separation-of-powers or federalism concerns, and the German legislature may decide to keep the right to challenge EU actions in the hands of cabinet departments.
c) German DPAs may try to participate in Privacy Shield legislation through other means. Despite not having direct rights of action, German DPAs may attempt to participate in Privacy Shield lawsuits by seeking to join procedures as amici, offering support to individual litigants, or offering briefs or expertise to German courts. Moreover, Germany recently passed a law permitting registered consumer-rights organizations to challenge wrongful data processing, and DPAs must be notified and invited to participate when such suits are filed. Lastly, one of DPAs’ more potent ways to stay involved may be via their investigatory powers, which can result in document discovery that is usually unavailable in German litigation.
* * * * *
Alston & Bird LLP is closely monitoring the development of DPA rights of action in Germany and throughout the EU. For more information, contact David Keating or Jim Harvey.