Two days before the Article 29 Working Party (“WP29”) issued its joint statement regarding the Schrems judgement, and just a few days after we were warned not to expect any co-ordinated response from the German DPAs until various discussions had been completed, the Data Protection regulator of Schleswig-Holstein issued a controversial statement on its approach to international transfers post 6 October 2015.
The statement considers the basis of the judgement of the European Court of Justice, and results in a fairly damning conclusion that even Standard Contractual Clauses cannot fill the gap left by the demise of safe harbour. This is on the basis that US companies cannot comply with the guarantee they must give in the Standard Contractual Terms that they are not subject to laws which would make it impossible to comply with the contractual obligations.
As a result, the Schleswig-Holstein DPA considers data controllers in the EU should consider terminating their contracts containing Standard Contractual Clauses (and presumably stop transferring data as a result) or suspending data transfers under the terms of the Clauses.
If companies don’t do this, the DPA will consider whether to issue an administrative order to require the suspension of transfers, and notes that transfers which do not have a legal basis can be punished with a fine of up to €300,000.
It appears that for this DPA, the only legitimate transfers of data to the US in the current climate are those made with very specific informed consent, which would be impossible to obtain in the case of employees, and unlikely to be possible in the case of other personal data too.
This leaves the only other permissible exemption, which is for the performance of or implementation of pre-contractual measures in relation to a contract between the data controller and data subject, or for the conclusion or performance of a contract which is entered into in the interests of a data subject. However, neither of these exemptions will assist anyone seeking to transfer employee data to the US.
The DPA did not comment on the validity of Binding Corporate Rules in this scenario. Whilst some commentators believe that this omission suggests they would be acceptable, on the basis of the staunch approach taken above, I wouldn’t be so sure. At present, Binding Corporate Rules in essence require the data controller to make an assessment of adequacy; in light of all of the information released to date, that assessment is a tricky one.
This shouldn’t come as too much of a surprise – this particular DPA has a history of criticising Safe Harbor. Back in 2010, they highlighted issues with the lack of enforcement by the FTC – we’ve written previously here on the German regulators’ relationship with Safe Harbor.
If your German entity is based in the German state of Schleswig-Holstein, you do need to take note. It will be very easy (as the WP29 has already suggested) for the DPA to check the Safe Harbor register to see who is registered and therefore relying on Safe Harbor; contact may not be in the too distant future.
But if you are in one of the other German states or elsewhere in Europe – don’t panic. No other DPA has come up with such a restrictive position – this is the Schleswig-Holstein DPA’s own interpretation of the Schrems ruling. One could comment that this doesn’t augur well for the DPA “one-stop-shop” under the proposed EU Data Protection Regulation (for more on this, see our article on the scope of jurisdiction of DPAs in our article here about the European Court’s ruling in the Weltimmo case).
And the WP29 statement, which comes from a body with a representative from each DPA, sends a very different message – although the WP29 has said that it will “continue its analysis on the impact of” the Schrems ruling “on other transfer tools” Standard Contractual Clauses are still on the approved list, and very much the favoured option, at least in the short term. So, in stepping away from the crowd, has the Schleswig-Holstein DPA gone a bit too far ?
Gayle McFarlane, Andre Bywater and Jonathan Armstrong are lawyers with Cordery in London where they focus on regulatory compliance, processes and investigations.
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4H
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com