German Privacy Chiefs Nix Safe Harbor Alternatives

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

Oct. 26 — German privacy officials Oct. 26 dealt another blow to thousands of U.S. companies looking for help to transfer personal data out of the European Union as they issued a position paper saying that alternatives to the now invalidated U.S.-EU Safe Harbor Program don't offer a realistic way to transfer information to the U.S.

The Datenschutzkonferenz—a consortium of data protection authorities from the 16 German states and the federal DPA—said they wouldn't approve any new transfers on the basis of binding corporate rules. The DPAs also said would be “exercising their powers to audit” over standard contractual clauses.

They said data subject consent “might be a sound basis” for transfers to the U.S. under “strict conditions” but not “massively, or routinely.”

Attorneys told Bloomberg BNA that they had concerns about the position paper and its impact on business. “It's obviously a huge blow--it will have huge impact on any company about to submit for approval under” binding corporate rules, Jörg Hladjk of Hunton & Williams LLP in Brussels said. “Consent won't really work, and is impractical for most companies due to the massive volume in data being transferred,” he said.

“What now, that's the question,” he added. “There is a lack of guidance from the DPAs on what companies should do.”

The European Court of Justice, the EU's top court, Oct. 6 invalidated the U.S.-EU Safe Harbor Program (194 PRA, 10/7/15), which had allowed over 4,400 U.S. companies that self-certified with the Department of Commerce their compliance with privacy rules similar to those in EU Data Protection Directive (95/46/EC) to transfer personal data. The EU court pointed in part to the lack of a judicial redress mechanism for EU citizens under the Safe Harbor as a reason for finding that the program didn't adequately protect privacy.

The Safe Harbor, which has been in place since 2000, has been under political pressure from EU privacy advocates and many politicians since the disclosures by Edward Snowden on the scope of U.S. National Security Agency surveillance.

Unified German Position

The position paper follows an Oct. 14 position paper by the DPA of the state of Schleswig-Holstein that said entities seeking to transfer data outside of the EU cannot necessarily use alternative data transfer mechanisms—and said it could use its powers to suspend, and possibly fine, data transfers to the U.S. it considers lacking a legal basis (200 PRA 200, 10/16/15).

Attorneys said the Oct. 26 position shows the unity of German authorities to prevent data transfers to the U.S. following the ECJ ruling.

“In light of the judgment of the ECJ, the admissibility of data transfers to the United States on the basis of other instruments used for this purpose such as standard contractual clauses or BCRs are questionable,” the position paper said. “The ECJ noted that data protection authorities of EU Member States are not prevented—irrespective of Commission decisions—to assess, in full independence, the adequacy of the level of data protection offered in third countries.”

Negotiating Time Short

The group called on companies to immediately make their methods of data transfer conform with data protection regulations. Companies wanting to export data to the U.S. or other third countries were told to refer to the Datenschutzkonferenz's March 27, 2014, guidance guaranteeing human rights in electronic communication and another guidance from Oct. 9, 2014, on cloud computing (208 PRA, 10/28/14).

The DPAs also called for lawmakers to grant them specific “right of action” to enforce privacy requirements in accordance with the ECJ ruling recognizing the independent authority of DPAs. The group also urged the European Commission, the EU's administrative arm, to negotiate with the U.S. to create “far-reaching” safeguards to protect privacy including the right to legal protections, substantive data protection rights and the principle of proportionality.

The Datenschutzkonferenz said it is necessary to adopt decisions on the alternative transfer mechanism under standard contractual clauses consistent with the specifications laid down in the ECJ ruling.

The group said it welcomed the Jan. 31, 2016 deadline set by the Article 29 Working Party of data protection officials from the 28 EU member states for negotiations between the EU and U.S. to find a replacement for the invalidated Safe Harbor (201 PRA 201, 10/19/15).

Attorneys said that deadline is impractical. “I am concerned about the timing,” Hladjk said. “It's not a lot of time to adjust the Commission's decisions on model contractual clauses. I don't see how this can be done by then.”

Model Contract Clauses Viable?

Ulrich Wuermeling of Latham & Watkins LLP in Frankfurt, told Bloomberg BNA Oct. 26 that the although the German DPAs “question the legality of model clauses” they “seem to understand that only the Court of Justice can invalidate the underlying decisions of the European Commission.”

The DPA's position is a “real setback” for the use of binding corporate rules in Germany, he said.

“The approach differs from stricter statements made earlier by some individual authorities in Germany,” he added. “As a result, model clauses seem to be the best way forward, at least until the Court of Justice has the opportunity to invalidate them as well. Given that there are no bending cases on model clauses before the Court of Justice at present, I do not expect an invalidation of the model clauses decisions before 2018—by then, other solutions might be available.”

Data subject consent remains a valid mechanism to justify data transfers, he said

“If consent is transparent and freely given, I don't believe that a court would confirm the view of the German data protection authorities that they might still be invalid in cases of mass data transfers,” he said. “In the end, this view will surely lead to court disputes.”

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law: Privacy & Data Security