On October 14, 2015, the data protection authority (“DPA”) in the German state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz) issued a position paper (the “Position Paper”) on the Safe Harbor Decision of the Court of Justice of the European Union (the “CJEU”).
In the Position Paper, the DPA disagrees with the European Commission’s (the “Commission's”) opinion that alternative data transfer mechanisms may be used in place of Safe Harbor. According to the Position Paper, mechanisms such as consent and EU standard contractual clauses that are currently being discussed should be evaluated in a new way. This evaluation must focus on the principles established by the CJEU, in particular the comparable legal level of protection. The Position Paper indicates that a long-term solution would require a significant change in U.S. law. It is unknown whether other German DPAs will concur with the Position Paper.
It should be noted that the Position Paper is the opinion of only one DPA in Germany, which is known to be conservative. The Position Paper does not invalidate any prior adequacy decisions made by the Commission. As the CJEU held in Schrems v. Facebook, DPAs in the Member States cannot invalidate Commission adequacy decisions.
The Position Paper discusses the recent Schrems v. Facebook decision that invalidated the U.S.-EU Safe Harbor Framework as a data transfer mechanism. The Position Paper notes that there are limited options for the Commission to take with respect to data transfers to the U.S. in the wake of the Schrems decision. These options, however, would require the U.S. to implement comprehensive changes to U.S. law which may be unlikely in the short or medium-term.
With respect to alternative data transfer mechanisms, the Position Paper concludes the following:
- Consent: The Position Paper notes that individuals must provide effective informed consent. According to the Position Paper, this entails providing individuals with comprehensive information on the lack of personal data protection in the U.S., including (1) the ability and wide-ranging power of the U.S. government to access their data, (2) the lack of data subjects’ rights, and (3) the general failure of the U.S. to adhere to the purpose limitation and necessity principles that are embedded in EU law. Given these issues, especially what it deems groundless mass surveillance conducted by U.S. intelligence agencies, the Position Paper concludes that consent may not be an option to provide a legal basis for data transfers to the U.S.
- Performance of a Contract: The Position Paper notes that contractual and necessary data transfers between the data subject and the data controller, such as providing data to book travel arrangements, are permissible. The Position Paper, however, indicates that this legal ground would not provide a legal basis for transfers of employee personal data that may be processed in the U.S. for purposes related to employee performance or behavior control.
- EU Standard Contractual Clauses: With respect to standard contractual clauses as a legal basis for transferring personal data to the U.S., the Position Paper refers to Commission decision 201/87/EU of February 5, 2010 (controller-to-processor data transfers) and Commission decision 2001/497/EC of June 15, 2001 (controller-to-controller transfers). In these decisions, a data importer must agree that it has no reason to believe that any applicable laws will prevent it from fulfilling the instructions and contractual obligations of the data exporter. If that is not the case, then the data exporter has the right to suspend the transfer of data and/or terminate the contract. Therefore, the Position Paper states that data exporters must consider exercising those rights.
Investigations by the DPA
The Position Paper indicates that the Schleswig-Holstein DPA is considering using the power granted to it by Article 4 of Commission decision 201/87/EU of February 5, 2010 to “prohibit or suspend data flows to third countries in order to protect individuals with regard to the processing of their personal data,” if the data importer is not able to comply with EU data protection law, or if the requirements of Article 13 of the EU Data Protection Directive 95/46/EC are not satisfied. The Position Paper further states that data transfers to the U.S. without a legal basis constitute an administrative offense and may be sanctioned with a fine of up to 300,000 EUR.
The Position Paper concludes by noting that the Schleswig-Holstein DPA will assess whether it has to issue administrative orders to prohibit or suspend data transfers and examine whether any offenses have been committed as a result of transferring personal data to the U.S. that does not guarantee an adequate level of data protection.
Search
Recent Posts
- D.C. Circuit Upholds Protecting Americans’ Data from Foreign Adversary Controlled Applications Act as TikTok Ban Dispute Edges Closer to Supreme Court
- FTC Issues Proposed Consent Order Against IntelliVision for False or Misleading Claims about Its AI Facial Recognition Technology
- Agencies Focus on National Security and AI Directives Pursuant to Executive Orders
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code