On Wednesday, Out-Law.com reported that The Independent Centre for Privacy Protection in the state of Schleswig-Holstein in Germany had called on businesses relying on European Commission-approved model contract clauses to transfer personal data from the EU to the US to terminate or suspend those arrangements.
The watchdog said it was its view that EU-US data transfers facilitated by the use of model clauses fail to comply with EU law. The opinion was outlined in light of the ruling last week by the Court of Justice of the EU (CJEU) that the 'safe harbour' framework for enabling EU-US data transfers is "invalid".
Using the model clauses in contracts is an alternative to engaging with the safe harbour regime. However, the Schleswig-Holstein authority cast doubt on whether companies can rely on model clauses to comply with EU data protection rules when transferring personal data from the EU to the US.
Out-Law.com asked a number of other German data protection authorities whether they shared the views expressed by the Schleswig-Holstein authority. Watchdogs in Berlin and Bremen have now confirmed that they do.
Berlin commissioner for data protection Dr Alexander Dix told Out-Law.com that the authority shares "the view that the model clauses cannot be used without new additional safeguards (clauses) as an alternative to Safe Harbor".
"Though the Commission decisions [on model clauses] have not formally been invalidated by the Court they contain powers of national DPAs very similar to the Safe Harbor decision. DPAs now have to make use of them in light of the Court's reasoning. Having said that we are waiting for a common position to be adopted by the Article 29 Working Party on this issue," the commissioner said in a statement.
Dr Imke Summer, state commissioner for data protection in Bremen, also told Out-Law.com that the authority shares the Schleswig-Holstein authority's "opinion and its statement of grounds".
However, Germany's federal data protection authority told Out-Law.com that the statement of the Schleswig-Holstein DPA had "not been coordinated" with it. It said it was unable to outline its position on "the transfer of personal data to third countries (especially the US), as the issue is currently still under discussion within the German as well as the European DPAs"
National data protection authorities from across the EU were set to meet to discuss the CJEU's ruling on Thursday under the auspices of the Article 29 Working Party.
"The data protection authorities appear to be arguing, according to the Schleswig-Holstein authority's paper, against model clauses on the basis that one of the clauses on the obligations of data importers in the US cannot be lived up to in light of the CJEU's ruling," Munich-based data protection law expert Stephan Appt of Pinsent Masons, the law firm behind Out-Law.com, said. "However, Germany's DPAs have long expressed this view given their concerns about US mass surveillance, so it is odd that it has taken the CJEU's judgment to bring the matter of model clauses into sharper focus."
The CJEU ruled the Safe Harbour Agreement to be invalid after deeming there to be insufficient restrictions on how the US authorities can use data transferred to the US from the EU. The CJEU had relied on the European Commission's own assessment of material leaked by whistleblower Edward Snowden regarding US intelligence agency surveillance practices when coming to that view.
The CJEU said that the safe harbour regime did not respect fundamental privacy rights afforded under EU law, and raised additional concern about the fact EU citizens do not have a judicial right to redress in the US if their data is mis-handled by US organisations.
In its judgment, the CJEU said that national data protection authorities were not bound by a Commission decision in 2000 that the EU-US safe harbour regime provided for adequate data protection, in line with the requirements of EU law. The Court said those watchdogs are free to investigate complaints about data transfers when issues come to light after those Commission decisions have been reached.
The Commission is currently in negotiations with US counterparts on putting in place a revised EU-US safe harbour regime for personal data transfers.
Data protection law expert Marc Dautlich of Pinsent Masons has said that businesses should be taking steps to examine their data protection procedures for data transfers to the US.
"There are already examples of squabbling and differences in approach between some data protection authorities in the EU about how to regulate US companies," Dautlich said last week. "These issues are likely to increasingly manifest themselves in light of the Weltimmo ruling which gives greater latitude to national data protection authorities to regulate businesses either based outside of the EU or in another EU country from them.”
Dautlich said he hoped the “apparent lack of early coordination amongst the DPAs” on the approach to be taken to EU-US data transfers in the aftermath of the CJEU’s safe harbour ruling was just a “temporary glitch” which would be addressed following the meeting of the Article 29 Working Party. He said the adoption of a consistent approach from EU DPAs on the issue of EU-US data transfers would align with the emphasis of the new General Data Protection Regulation which “has the objective of harmonisation in law and in enforcement across the single market”.