Auf Wiedersehen to Transfers of Personal Data From Germany

December 9, 2015

Bill Mariano

Last week, we reviewed developments around Europe following the landmark Schrems decision from the European Court of Justice. With the U.S.-EU Safe Harbor agreement invalidated, several European data protection authorities (DPAs) have issued follow-up statements, but few have been as outspoken as Germany, which has further restricted data transfers between the United States and European Union.

In an October 26, 2015 position paper, a group of German DPAs representing the federal government and 16 German states construed the Schrems ruling as finding “questionable” two of the three primary workarounds for the Safe Harbor: binding corporate rules and model contract clauses. Going forward, German DPAs will not “issue any new permission” for data transfers to the United States under these two mechanisms. Therefore, the only remaining option for organizations seeking to transfer the personal data of German citizens to the United States is to obtain the data subject’s consent to the transfer. Even so, the position paper makes it clear that these transfers cannot “occur repeatedly, on a mass scale or routinely.” Furthermore, when the personal data of employees is involved, transfers are only permissible in “exceptional cases.”

The German position paper opinion directly contradicts the “Statement of the Article 29 Working Party” issued on October 16, 2015, which said that until EU member states and the United States agree on a new solution, DPAs “consider that Standard Contractual Clauses and Binding Corporate Rules can still be used,” at least through the end of January 2016. Even so, organizations that house the data of German citizens should beware, as Hamburg’s data protection registrar has already begun auditing companies registered under the Safe Harbor agreement and is prepared to issue prohibition orders.

If EU data is implicated in U.S. litigation or investigations, then issue a litigation hold directing that the data be preserved in place rather than transferring it out of its host country. Keep your collection as targeted as possible to limit the need to gather personal information; avoid sweeping collection techniques, such as imaging hard drives, and use filtering mechanisms such as keywords to exclude personally identifiable information.

Auf Wiedersehen to Transfers of Personal Data From Germany

Digital transformation of government technology and services enhances constituent experiences

Digital payments: More than just convenient

Creating connections in California: Sharing good news about secure payments for citizens

Adopting digital payments to avoid the “road less traveled”

Four ways digital payments can streamline your financial operations

Earth Day 2023: Reflecting on investing in our planet

Honoring legacies by embracing equity

ConduentCares, India: Sustainability efforts for our environment and communities

Why updating OMB race and ethnicity data standards matters for health equity

Three key strategies for small to mid-sized healthcare payers in the Medicare Advantage market

When Reducing Costs, Cutting Customer Experience Isn’t the Answer

Driving Toward Sustainable Cities: Enhancing accessibility and optimizing passenger flows

For telcos, simplifying convergence is the best way to deliver customer service excellence

Policy, engagement, families take center stage at National Child Support Enforcement Association 2023 Policy Forum

Podcast: Getting Total Rewards Right in an Evolving HR and Benefits Environment

From Bare Minimum to Enthusiastic – Ways to Engage Your Workforce

Engagement and Enthusiasm at NCSEA Policy Forum 2023

Conduent Transportation helps expand campaign to aid and assist vulnerable members of the public

A Season for Children

New Experiences and Familiar Faces at WICSEC 2022