German DPAs Issue Position Paper on ECJ Invalidation of US-EU Safe Harbor | Practical Law

German DPAs Issue Position Paper on ECJ Invalidation of US-EU Safe Harbor | Practical Law

The German Conference of Data Protection Commissioners, consisting of German federal and state data protection authorities (DPAs), issued a position paper in response to the European Court of Justice's October 6, 2015 decision invalidating the US-EU safe harbor framework for the transfer of personal data from the European Economic Area to the US.

German DPAs Issue Position Paper on ECJ Invalidation of US-EU Safe Harbor

Practical Law Legal Update w-000-7205 (Approx. 3 pages)

German DPAs Issue Position Paper on ECJ Invalidation of US-EU Safe Harbor

by Practical Law Intellectual Property & Technology
Published on 28 Oct 2015Germany, USA (National/Federal)
The German Conference of Data Protection Commissioners, consisting of German federal and state data protection authorities (DPAs), issued a position paper in response to the European Court of Justice's October 6, 2015 decision invalidating the US-EU safe harbor framework for the transfer of personal data from the European Economic Area to the US.
On October 26, 2015, the German Conference of Data Protection Commissioners (DSK) issued a position paper in response to the European Court of Justice's (ECJ) decision in Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015 invalidating the US-EU safe harbor framework for personal data transfers. The DSK consists of the German federal data protection authority (DPA) as well as DPAs from each of the German states.
The position paper includes the following policy changes immediately affecting the transfer of personal data from Germany to the US:
  • Data transfers to the US conducted solely based on the US-EU safe harbor are prohibited.
  • The German DPAs will not grant any new authorizations for data transfers from Germany to the US on the basis of binding corporate rules or data export agreements.
  • Companies seeking to export data to the US should design their data transfer procedures consistent with EU data protection requirements without undue delay.
  • Data transfers to the US may be permitted with consent of the data subjects in limited circumstances, so long as the transfers do not occur repeatedly, in mass quantities, or routinely. Consent will be a permissible basis for data transfer to the US only in exceptional cases where the transfer:
    • concerns personal data of employees; or
    • affects third party data.
In the position paper, the DSK also calls on the European Commission to:
  • Push for sufficiently extensive guarantees for the protection of privacy in negotiations with the US for a new data transfer framework.
  • Revise its decisions concerning standard contractual clauses for data export agreements in accordance with the guidelines of the ECJ decision by the January 31, 2016 deadline set by the Article 29 Working Party.