Safe Harbor Updates: 2.0 Agreement 'In Principle,' While Germany Nixes Alternatives and Others Jump Aboard

The last few days have brought a mixed bag of developments regarding EU-U.S. cross-border data transfers. By way of background, the European Court of Justice recently invalidated the U.S.-EU Safe Harbor Framework (Safe Harbor), which allowed over 4,400 U.S. companies that self-certified with the Department of Commerce their compliance with privacy rules similar to those in EU data protection law to transfer personal data. Some hold out hope that agreement on a Safe Harbor 2.0 will save the day. In a conference with the European Parliament on October 26, EC Commissioner Věra Jourová announced that, "in principle," there is agreement on Safe Harbor 2.0. However, the EU and the U.S. are still discussing how to ensure that the commitments are strong enough to meet the requirements set by the European Court of Justice in the October 6 Safe Harbor decision.

Among the issues that still need to be addressed—a big one since it has been the main sticking point in negotiations and the foundation of the court's opinion—is how to establish clear conditions to and limits on access to EU personal data by U.S. intelligence services. Jourova said the new program will establish an annual review mechanism run by authorities on both sides of the Atlantic that will monitor whether law enforcement and national security services comply with established limits and conditions. She also promised that the Commission will issue a statement soon explaining the consequences of the ECJ Safe Harbor (Schrems) ruling and set guidance for international data transfers, without overriding the authority of national data privacy regulators.

Also on October 26, German data protection authorities (DPAs) issued a common position paper, stating that data transfers relying on the safe harbor program are no longer legal. The 16 regional DPAs and the federal DPA announced that if they become aware of data transfers to the U.S. which solely rely on Safe Harbor, they will prohibit such transfers.

Most importantly, the German authorities collectively concluded that alternatives to the U.S.-EU Safe Harbor Program do not offer a viable alternative for data transfers to the U.S. Specifically, the DPAs said that they will not approve any new transfers on the basis of Binding Corporate Rules or data export contracts (i.e., modified Model Contracts or ad hoc agreements). While the DPAs welcomed the time limit until January 31, 2016, set by the Article 29 Working Party to establish acceptable alternatives to safe harbor transfers, they emphasized that Standard Contractual Clauses (SCCs or Model Contracts) would have to meet the requirements mentioned in the ECJ decision. The DPAs also said that they would "execute their audit rights" regarding Standard Contractual Clauses to examine them in light of the ECJ decision. They also confirm their view that consent is rarely, if ever, an adequate alternative for data transfers. 

The German DPAs position paper did not stop there but had a few additional components, including:

• Requesting that the member states' legislators grant DPAs a right of action in accordance with the decision of the ECJ.
• Urging the European Commission to develop sufficiently far-reaching guarantees for the protection of privacy, when negotiating with the U.S., including:
  • The right to judicial protection.
  • Substantive data protection laws.
  • The principle of proportionality.

In an additional note, the German Federal Data Protection Officer again stressed that the U.S. might have to substantially improve the level of protection of fundamental rights of EU citizens in the course of data transfers from the EU to the U.S. The Judicial Redress Bill which was recently adopted by the House of Representatives would be a "first step, but however not sufficient" in its current form.

While most German state DPAs follow a rather strict approach and have partly announced that they will no longer authorize data transfers on the basis of data export agreements or Binding Corporate Rules, the DPA of Hamburg has announced that until there is clarity about how to carry out data transfers in the future, "transfers based on Standard Contractual Clauses or Binding Corporate rules will not be objected." However, even this DPA has announced that it will examine transfers which solely rely on the old Safe Harbor regime, and in particular transfers of subsidiaries of Safe-Harbor listed US companies that send data to their parent company in the U.S.

The German authorities are not alone with their aggressive approach. Three days earlier, the DPA of Portugal also issued a press release, in which it questioned Standard Contractual Clauses, Binding Corporate Rules, and other ad-hoc contracts as legitimate mechanisms for data transfers to the U.S. The Portuguese DPA therefore announced that it will only issue "provisional authorizations" in the near future.