On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).
In the Position Paper, the DPA disagrees with the European Commission’s (the “Commission’s”) opinion that alternative data transfer mechanisms may be used in place of Safe Harbor. According to the Position Paper, mechanisms such as consent and EU standard contractual clauses that are currently being discussed should be evaluated in a new way. This evaluation must focus on the principles established by the CJEU, in particular the comparable legal level of protection. The Position Paper indicates that a long-term solution would require a significant change in U.S. law. It is unknown whether other German DPAs will concur with the Position Paper.
It should be noted that the Position Paper is the opinion of only one DPA in Germany, which is known to be conservative. The Position Paper does not invalidate any prior adequacy decisions made by the Commission. As the CJEU held in Schrems v. Facebook, DPAs in the Member States cannot invalidate Commission adequacy decisions.
The Position Paper discusses the recent Schrems v. Facebook decision that invalidated the U.S.-EU Safe Harbor Framework as a data transfer mechanism. The Position Paper notes that there are limited options for the Commission to take with respect to data transfers to the U.S. in the wake of the Schrems decision. These options, however, would require the U.S. to implement comprehensive changes to U.S. law which may be unlikely in the short or medium-term.
With respect to alternative data transfer mechanisms, the Position Paper concludes the following:
- Consent: The Position Paper notes that individuals must provide effective informed consent. According to the Position Paper, this entails providing individuals with comprehensive information on the lack of personal data protection in the U.S., including (1) the ability and wide-ranging power of the U.S. government to access their data, (2) the lack of data subjects’ rights, and (3) the general failure of the U.S. to adhere to the purpose limitation and necessity principles that are embedded in EU law. Given these issues, especially what it deems groundless mass surveillance conducted by U.S. intelligence agencies, the Position Paper concludes that consent may not be an option to provide a legal basis for data transfers to the U.S.
- Performance of a Contract: The Position Paper notes that contractual and necessary data transfers between the data subject and the data controller, such as providing data to book travel arrangements, are permissible. The Position Paper, however, indicates that this legal ground would not provide a legal basis for transfers of employee personal data that may be processed in the U.S. for purposes related to employee performance or behavior control.
- EU Standard Contractual Clauses: With respect to standard contractual clauses as a legal basis for transferring personal data to the U.S., the Position Paper refers to Commission decision 201/87/EU of February 5, 2010 (controller-to-processor data transfers) and Commission decision 2001/497/EC of June 15, 2001 (controller-to-controller transfers). In these decisions, a data importer must agree that it has no reason to believe that any applicable laws will prevent it from fulfilling the instructions and contractual obligations of the data exporter. If that is not the case, then the data exporter has the right to suspend the transfer of data and/or terminate the contract. Therefore, the Position Paper states that data exporters must consider exercising those rights.
Investigations by the DPA
The Position Paper indicates that the Schleswig-Holstein DPA is considering using the power granted to it by Article 4 of Commission decision 201/87/EU of February 5, 2010 to “prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data,” if the data importer is not able to comply with EU data protection law, or if the requirements of Article 13 of the EU Data Protection Directive 95/46/EC are not satisfied. The Position Paper further states that data transfers to the U.S. without a legal basis constitute an administrative offense and may be sanctioned with a fine of up to 300,000 EUR.
The Position Paper concludes by noting that the Schleswig-Holstein DPA will assess whether it has to issue administrative orders to prohibit or suspend data transfers and examine whether any offenses have been committed as a result of transferring personal data to the U.S. that does not guarantee an adequate level of data protection.