Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here). This 14-point position paper follows a meeting that these authorities held last week. Key points include:
-
following the Safe Harbor judgment of the Court of Justice of the EU (“CJEU”) of October 6, data transfers on the basis of the European Commission’s Safe Harbor Decision are not admissible and the German DPAs will prohibit data transfers to the U.S. which are exclusively based on Safe Harbor;
-
the admissibility of data transfers to the U.S. on the basis of other transfer mechanisms, such as standard contractual clauses or Binding Corporate Rules (“BCRs”), is called into question;
-
the German DPAs will not currently issue any new authorizations for data transfers to the U.S. on the basis of BCRs or data transfer agreements − this goes a step further than the position expressed by the Article 29 Data Protection Working Party (“WP29”) in its statement of October 16, in which the WP29 acknowledged that standard contractual clauses and BCRs can still be used as long as the WP29 is analyzing the impact of the CJEU judgment on the other transfer mechanisms; and
-
the German DPAs recognize that consent may in certain limited circumstances provide a legal basis for data transfers to the U.S.
The German supervisory authorities call upon companies to make their data transfers data protection compliant, but at the same time also call for action by legislators, the German Government and the Commission.