The Independent Centre for Privacy Protection in the state of Schleswig-Holstein said (5-page / 56KB PDF) it was its view that EU-US data transfers facilitated by the use of model clauses fail to comply with EU law.
It outlined its opinion in a new position paper published in light of the ruling last week by the Court of Justice of the EU (CJEU) that the 'safe harbour' framework for enabling EU-US data transfers is "invalid".
The Safe Harbour Agreement had meant that US organisations that self-certified compliance with the requirements of the safe harbour regime could transfer personal data from the EU to the US because the arrangements were deemed as meeting data protection standards required under the EU's Data Protection Directive.
That framework was ruled invalid after the CJEU, relying on the European Commission's own assessment of material leaked by whistleblower Edward Snowden regarding US intelligence agency surveillance practices, said that there are insufficient restrictions on how the US authorities can use data transferred to the US from the EU. The Court said that the safe harbour regime did not respect privacy in the way required under EU law, raising additional concern about the fact EU citizens do not have a judicial right to redress in the US if their data is mis-handled by US organisations.
The Schleswig-Holstein authority said that when applying the findings of the CJEU's judgment to data transfers made on the basis of model clauses, such transfers are "no longer permitted". It said there needs to be "comprehensive change" to US law to ensure that there is adequate data protection provided for when personal data is transferred from the EU to the US.
The Schleswig-Holstein authority said it plans to review whether to start scrutinising businesses' EU-US data transfer arrangements and check whether any breaches of data protection laws have been committed. It explicitly referred to its authority to fine companies up to €300,000 for breaking German data protection rules.
Out-Law.com has asked other data protection authorities in Germany whether they share the views of the Schleswig-Holstein authority. It has yet to receive a response.
National data protection authorities from across the EU are set to meet to discuss the CJEU's ruling on Thursday under the auspices of the Article 29 Working Party. The UK's Information Commissioner's Office (ICO) told Out-Law.com that it would not be commenting further on the topic until it has "considered everything" from the Working Party's meeting.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said the views expressed by the Schleswig-Holstein authority will be of concern to many businesses that have been using model clauses for US data transfers or which are now turning to that mechanism in light of the CJEU's ruling on the safe harbour regime.
"It is as yet unclear whether the Schleswig-Holstein authority speaks for itself only or whether their opinion reflects the result of discussions with other of Germany's data protection authorities on this issue. As we first detailed last week, there were just seven cases between January 2014 and mid-August 2015 that the UK ICO looked into which concerned potential breaches of data transfer rules by organisations. Whether it is initiated by the ICO or other regulators, businesses can expect their data transfer arrangements to come in for greater scrutiny in future in light of the CJEU's judgment," he said.
"Even if Europe's data protection authorities agree that model clauses are a suitable mechanism for enabling data transfers, businesses implementing them into their contracts should be aware that the clauses give data subjects certain rights of enforcement of the contractual requirements against data exporters, and in some cases data importers, and they also give data protection authorities certain audit rights," Dautlich said.
Munich-based data protection law expert Stephan Appt of Pinsent Masons said Germany's data protection authorities met to discuss the CJEU's ruling last week with a view to reaching a consistent view on the issue of EU-US data transfers ahead of the Working Party meeting.
"The fact that the Schleswig DPA has now issued this paper either means that this reflects – at least to some extent – the joint position of all German DPAs or that it is just keen on getting in the headlines first with an extreme position," Appt said. "The position paper also seems to be extreme in the sense that the Schleswig DPA opines that data subjects are actually not in a position to declare valid consent in data transfers to countries where there is a risk of mass surveillance by intelligence agencies, as this would be contrary to the fundamental personality right enjoyed by people in Germany which, the DPA claims, an individual cannot waive, as a matter of legal principle."
Last week deputy UK information commissioner David Smith said that the CJEU's judgment meant businesses that have relied on the safe harbour framework "need to review how they ensure that data transferred to the US is transferred in line with the law". He said, though, that he recognised that review process would take businesses "some time" and stressed that data transfers can take place on the basis of "different provisions".
Smith said the ICO plans to issue new guidance for businesses on data transfers in the coming weeks after liaising with other data protection authorities in the EU. The European Commission has also said it plans to issue "clear guidance for national data protection authorities on how to deal with data transfer requests to the US, in the light of the ruling".