Arnd Böken, of our affiliate Graf von Westphalen, gives a German perspective on transatlantic data transfers. He warns that the planned Privacy Shield (discussed here) may not offer adequate protection, and standard contractual clauses offer a safer alternative:
“Safe Harbor” and the ECJ’s Schrems ruling
The European Court of Justice (ECJ) invalidated the EU Commission´s “Safe Harbor” decision (Decision 2000/520) on 6 October 2015, rendering the majority of data transfers from the EU to the US illegal (Schrems, C-362/14).
Following the ruling, the Article 29 Working Party (WP29), which consists of EU data protection commissioners, announced on 16 October 2015 that the data protection authorities would take all necessary and appropriate action, including enforcement, if no appropriate solution were reached with the US authorities by the end of January 2016. As a result, many international companies with German subsidiaries based data transfer to the US no longer on “Safe Harbor”, but implemented EU Commission’s standard contractual clauses in order to continue such transfer.
The draft Privacy Shield decision and German enforcement action
The European Commission declared at the end of January that negotiations with the US government had been successful, and the US would implement the so-called “Privacy Shield”. Nevertheless, several German data protection authorities did not wait for the EU Commission to issue a new “Safe Harbor II” or “Privacy Shield” decision, but started enforcement action by contacting companies in order to determine whether data transfer from Germany to the US was still based on Safe Harbor. Stating that such data transfer to the US was illegal, these DPAs began administrative proceedings in order to stop the transfer. Data transfer based on standard contractual clauses remained unchallenged.
On 29 February 2016, the EU Commission published the draft Privacy Shield decision to start a discussion whether the Privacy Shield could guarantee an adequate level of data protection in the US. WP29 gave its opinion on the Privacy Shield and the draft adequacy decision on 13 April 2016. WP29 criticized the Privacy Shield as a various set of documents lacking an overall clarity; some key data protection principles not being reflected in the draft adequacy decision, in particular the purpose limitation principle; and the Privacy Shield as insufficient protection against access by public authorities in the US.
At the German-American Data Protection Conference in Munich on 24 April 2016, Prof. Martin Selmayr, head of cabinet of the EU Commission president and data protection specialist, stated in a discussion with Julie Brill, the former FTC commissioner, and Ted Dean from the US Department of Commerce that he expects the EU Commission to issue the adequacy decision on the Privacy Shield, provided the Article 31 Working Party consisting of member states representatives agrees.
Mr. Selmayr also expects the adequacy decision to be challenged in court, and in his opinion there is a 51 % chance that the ECJ would uphold the decision. He also reminded the audience that the ECJ is under pressure, as data protection activists could seek help from the German Constitutional Court. The German Constitutional Court stated as early as in 1983 that data protection is a fundamental right, and covered by the right to human dignity set out in Article 1 of the German Constitution.
Impact on data processing in Germany
Whatever the outcome of the Privacy Shield discussion, international companies should take into consideration that data protection plays an important role in Germany. In this light and given the uncertainty of the Privacy Shield’s future, international companies with subsidiaries in Germany and those dealing with their German counterparts should not rely exclusively on the Privacy Shield. It is advisable to implement standard contractual clauses to ensure that personal data can be transferred to US companies. Standard contractual clauses are also under scrutiny in Germany, but these clauses are a far safer means for transferring personal data than the Privacy Shield.