Under the EU Data Protection Directive and the implemented European data protection laws, there is a general prohibition on the transfer of data outside the EEA unless adequate methods of protection are ensured. The Safe Harbor Commission Decision (Commission Decision 2000/520/EC) provided for a method to permit the transfer of personal data to the US. However, the recent judgment of the Court of Justice of the European Union (CJEU), declared that the Safe Harbor Decision is invalid and has raised also questions regarding other data export mechanisms.
The CJEU Decision has stated that personal data transfers which relied on the Safe Harbor Decision are now unlawful. Consequently, all EEA seated companies must now consider which other mechanisms is available to ensure the adequate protection of any data transferred outside the EEA which essentially comprises of (i) data subject consent to the transfer, (ii) EU standard contractual clauses in place between relevant data importer and exporter and (iii) Binding Corporate Rules.
In particular companies seated in Germany must find solutions for their data export to the US and need to ensure they are fulfilling their obligations as the data controller. The German Data Protection Commissioners had organized a special conference in Frankfurt on 21 October 2015 and the commissioners issued as a follow up a Position Paper. It should be noted, that under No. 2 of the Position Paper the Commissioners have stated:
In the light of the CJEU’s ruling, the admissibility of data transfers to the US based on other instruments, such as standard contractual clauses or binding corporate rules (BCR), is also questionable.
Consequently, we would recommend that companies seated in Germany transferring personal data to the US should closely monitor further German developments and seek individual legal advice in this regard. Despite the fact that some German data protection authorities have a more pragmatic view (like the Bavarian data protection authority), it is not beyond any possibility that one or more of the other German data protection authorities will eventually share the view of the data protection authority in Schleswig-Holstein in finding transfers to the US on the basis of Model Clauses also be unlawful.
The Squire Patton Boggs Data Privacy & Cybersecurity team has created a quick reference guide to help clients understand the ECJ’s decision, its consequences and compliance steps to be taken now.