A little more than two months ago, the Court of Justice of the European Union (CJEU) struck down the U.S.-EU Safe Harbor Framework that permitted U.S. organizations to transfer the personal data of EU citizens to the United States. Since then, organizations have struggled to find appropriate workarounds, particularly in Germany. We recently asked Dr. Christian Schröder, Head of the IP/IT and Data Privacy Practice Group in Germany at Orrick, to update us on how the situation has evolved over the last two months.
The week following the court’s decision, the Schleswig-Holstein data protection authority (DPA) issued an even more limiting ruling (in German), finding that almost every transfer of personal data to the United States is problematic, even when based on consent. Fortunately, this decision seems to be an outlier. Two days later, the Article 29 Working Party reaffirmed the viability of workaround transfer methods, including binding corporate rules (BCRs) and Standard Contractual Clauses (SCCs) (also called EU Model Clauses).
Any relief that U.S. organizations felt in the wake of the Working Party’s proclamation was likely short-lived, especially for organizations transferring data from Germany. On October 26, German federal and state DPAs published a Position Paper (an unofficial English translation is available here) that is concerning. The Position Paper reiterates the CJEU’s decision that any transfers based on the Safe Harbor Framework are impermissible and asserts that investigations of such transfers will begin immediately. It also questions the validity of other transfer mechanisms, including BCRs and SCCs: German DPAs will not grant new authorizations for data transfers using BCRs until further notice, and SCCs will be assessed closely in line with the Schrems v. Facebook ruling. In particular, the Position Paper refers to recitals 94 and 95 of Schrems, which express concern about data regimes that afford government authorities access to electronic communications “on a generalised basis” and that do not offer individuals legal remedies with respect to their personal data, including access, revision, and erasure of that data.
With so much uncertainty in the wake of these decisions, organizations should, as I advised in an earlier post, carefully assess their data collection and limit the flow of data to the extent possible. For any unavoidable transfers, they should consider whether one of the following five routes under the Data Protection Directive is practicable:
- Legal claims: A transfer can occur if it is “necessary or legally required . . . for the establishment, exercise or defence of legal claims.” Of course, given the differences between narrow EU disclosure and broad pretrial American discovery, it is not clear whether a German DPA would approve a transfer under this exception.
- Consent: Individual consent should be used sparingly. The Position Paper makes clear that large-scale, routine or repeated data transfers are impermissible. When employee data is involved, it can only be transferred in “exceptional cases.”
- Contract terms: Another option is to transfer data as required to perform the terms of a contract with the data subject. Although this exception has limited applicability, it was not referenced in the German Position Paper, and thus it may remain a feasible alternative method under the EU Data Protection Directive.
- BCRs: Existing BCRs may still be a useful avenue for transfer, as the Position Paper only asserted that it would not grant new transfer authorizations.
- SCCs: In Germany, DPAs do not need to approve data transfers based on SCCs. But given the two caveats mentioned above, it is likely that these transfers may face heightened scrutiny by DPAs.
The Article 29 Working Party set a deadline of January 30, 2016 for U.S. and EU regulators to devise a solution for data transfers; otherwise, enforcement of the Schrems decision will begin in earnest across the EU. Organizations should monitor The Chronicle for continuing updates and guidance on navigating these murky waters.