Legal basis for data transfers to the USA questioned
Safe harbor self- commitments from US service providers (data recipient in the US) were an option to justify data transfers to a third country with poor data protection security (here the United States) within the scope of exceptions without a permit. The EJC declared the Commission decision from 26.10.2000 (which underlies this exemption clause) with its decision from 06.10.2015 void.
The EJC judgement doesn’t deal with the question if an adequate level of protection exists in principle in the United States. Furthermore, it doesn’t provide concrete and explicit specifications for companies what to do with existing data transfers (certified to safe harbour). Until further notice a lawful warranty of a secure level of data protection on the basis of safe harbor is no longer satisfied. As in the past, it is possible to revert to other options (standard contractual clauses, Binding Corporate Rules or approved individual contracts).
When an affected person complains about the unsecure data transfer of his personal data to a safe harbor certified data recipient, the authority has to check if the requirements in directive 95/46/EC are fulfilled.
In an initial assessment the authorities refer to the central role that will play the national and European data protection authorities in finding a solution. It is necessary to ascertain whether the data transfers to the United States need to be suspended and in which form, even if they are based on standard contractual rules, Binding corporate Rules or approval. The authorities will coordinate quickly their proceeding concerning the clarification of the consequences of the judgement.
We will pursue the development in this sector and inform our clients about the progress.
First of all we advise our clients to create a shortlist of the affected processes to identify the need for action and prioritize them. Your ds² data protection consultant is happy to assist you.
Reports from the German data protection authorities on this subject:
- BfDI – Europäischer Gerichtshof kippt Safe-Harbor (06.10.2015)
- LDI NRW – EuGH erklärt Safe Harbor für ungültig
- HambBfDI – EuGH kippt transatlantisches Safe Harbor-Abkommen (06.10.2015)
- Artikel 29 Gruppe – Article 29 Data Protection Working Party – PRESS RELEASE – Decision of the Court of Justice of the European Union on Safe Harbor (06.10.2015)
- Artikel 29 Gruppe – Statement of the Article 29 Working Party – Press Release (16.10.2015)
- Positionspapier der unabhängigen Datenschutzbehörden des Bundes und der Länder (Datenschutzkonferenz) (26.10.2015)