German data protection authorities limit companies' options for US data transfers

Companies with pre-existing BCRs will continue to be able to rely on those arrangements at the moment, as an EU privacy body confirmed earlier this month. However, the German watchdogs have outlined their intent to scrutinise the measures businesses have in place to safeguard personal data when it is transferred to the US in light of a recent Court of Justice of the EU (CJEU) ruling.

The CJEU ruled that a framework which allowed companies to move personal data across the Atlantic in a way which complied with EU data protection laws, the EU-US 'safe harbour' regime, was "invalid". The Court raised concerns about US authorities accessing data transferred from the EU and questioned whether there are sufficient privacy safeguards in place.

The CJEU's ruling has meant companies previously dependent on complying with the 'safe harbour' requirements have had to look to alternative legal mechanisms to continue transferring personal data to the US from the EU. However, the judgment has prompted debate about whether alternative mechanisms for transferring personal data from the EU to the US actually provide for adequate data protection, as required by EU law, as a result of the concerns referred to by the CJEU.

Germany's data protection authorities have now confirmed that they will block attempts by companies to rely on new BCRs for transferring personal data to the US. Their unified statement follows a string of individual comments made by some of the authorities about the impact of the CJEU's ruling in the aftermath of the judgment, as reported by Out-Law.com.

BCRs are effectively a code of conduct that businesses can put in place, with the approval of data protection authorities, for handling and protecting personal data in a way which accords with the requirements of EU data protection law when transferring that data to other companies in their group in locations outside of the European Economic Area.

The German authorities also confirmed that they will also not allow companies to put in place new "data export contracts" as a basis for transferring personal data to the US. EU data protection laws allow for personal data transfers outside of the EU where it is necessary for the conclusion or performance of certain contracts.

The statement issued by the German authorities limits the steps businesses that were reliant on safe harbour can now take to continue with data transfers from the EU to the US. They confirmed that companies can no longer claim compliance with EU data protection laws for data transfers on the sole basis that they adhere to the requirements of the EU-US Safe Harbour Agreement deemed invalid by the CJEU.

One alternative businesses looking to continue trans-Atlantic data flows have been considering is the implementation of European Commission-approved model clauses into their contracts. The clauses govern how personal data should be treated when transferred from the EU to the US. However, that mechanism for transferring personal data is also at risk following the CJEU's judgment.

The Article 29 Working Party, which is a committee made up of all of the EU's national data protection authorities, is currently reviewing "the impact of the CJEU judgment" has on model clauses, BCRs and other mechanisms that enable EU-US data transfers.

Whilst model clauses and BCRs already in place can continue to be used at the moment, the Working Party has said there is still the potential for data protection authorities to examine whether companies relying on those arrangements comply with EU data protection laws.

The Working Party has called on EU and US officials to "find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights" by the end of January 2016. It has said that the data protection authorities could take enforcement action against companies if "no appropriate solution is found with the US authorities" by the end of January 2016.

Enforcement action could depend on whether the Working Party finds that the alternative mechanisms companies rely on for transferring personal data to the US, such as model clauses and BCRs, do not provide for the adequate protection of personal data, as is required by EU law, it said.

In their statement, the German authorities suggested that they plan to scrutinise companies' US data transfer arrangements based on European Commission-approved model contract clauses. They said it is "necessary promptly to adapt the [European Commission's] decisions on standard contractual clauses" to account for the findings made by the CJEU in its judgment on the safe harbour regime.

The German authorities said companies can transfer personal data to the US on the basis of data subjects' consent "under strict conditions". However, they suggested companies might need consent for each transfer of personal data to the US they make. They said consent obtained would not justify the repeated, mass or routine transfer of personal data.

For employee data specifically, the German watchdogs said they would consider consent will only as being a valid basis for transferring the data to the US "only in exceptional cases".

Separately, Switzerland's federal data protection and information commissioner has announced that the 'safe harbour' framework facilitating personal data transfers between Switzerland and the US, which is separate to the EU-US safe harbour regime, is invalid in light of the CJEU's ruling.

Similarly, Israel's Law, Information and Technology Authority has shut down a derogation that existed in Israeli law which allowed businesses to transfer personal data to the US from Israel on the basis of the EU-US safe harbour regime, according to an unofficial translation of its statement (2-page / 57KB PDF) produced by Omer Tene of the International Association of Privacy Professionals.