Auf Wiedersehen to Transfers of Personal Data From Germany
Last week, we reviewed developments around Europe following the landmark Schrems decision from the European Court of Justice. With the U.S.-EU Safe Harbor agreement invalidated, several European data protection authorities (DPAs) have issued follow-up statements, but few have been as outspoken as Germany, which has further restricted data transfers between the United States and European Union.
In an October 26, 2015 position paper, a group of German DPAs representing the federal government and 16 German states construed the Schrems ruling as finding “questionable” two of the three primary workarounds for the Safe Harbor: binding corporate rules and model contract clauses. Going forward, German DPAs will not “issue any new permission” for data transfers to the United States under these two mechanisms. Therefore, the only remaining option for organizations seeking to transfer the personal data of German citizens to the United States is to obtain the data subject’s consent to the transfer. Even so, the position paper makes it clear that these transfers cannot “occur repeatedly, on a mass scale or routinely.” Furthermore, when the personal data of employees is involved, transfers are only permissible in “exceptional cases.”
The German position paper opinion directly contradicts the “Statement of the Article 29 Working Party” issued on October 16, 2015, which said that until EU member states and the United States agree on a new solution, DPAs “consider that Standard Contractual Clauses and Binding Corporate Rules can still be used,” at least through the end of January 2016. Even so, organizations that house the data of German citizens should beware, as Hamburg’s data protection registrar has already begun auditing companies registered under the Safe Harbor agreement and is prepared to issue prohibition orders.
If EU data is implicated in U.S. litigation or investigations, then issue a litigation hold directing that the data be preserved in place rather than transferring it out of its host country. Keep your collection as targeted as possible to limit the need to gather personal information; avoid sweeping collection techniques, such as imaging hard drives, and use filtering mechanisms such as keywords to exclude personally identifiable information.