We reported previously on the data protection authority (DPA) in Schleswig-Holstein making a statement which seemed to in essence prohibit data transfers from that state to the US. As that DPA has a history of taking a strong line in issues of legislative interpretation, we had hoped that the other DPAs in Germany (which are run on a state by state basis) would take a less restrictive approach.
However, in a joint statement today the DPAs have followed the same route. We’re doing a full analysis but our initial thoughts suggest:
- Safe Harbor is no longer a legitimate basis for transfer to the US;
- No new transfers of data under data transfer agreements nor binding corporate rules will be approved;
- Transfer may happen on the basis of consent in some very limited circumstances, but this won’t work for employee data nor for routine or repeated transfers;
- The DPAs call on the Commission and the US to obtain the changes required to comply with the decision, and for the Commission to issue revised standard contractual clauses for data transfers.
Where this leaves German businesses remains to be seen. As the DPAs in Germany are independent, it remains open to them to enforce independently, and this statement is not binding; however, it would seem difficult for one authority to run contrary to this joint statement. We will update you as and when we have further guidance on this issue.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785