Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:

  • Austria.  The Austrian Data Protection Authority (the “Austrian DPA”) has published FAQs on its website (see here), confirming that data transfers to the U.S. should not take place exclusively on the basis of the Safe Harbor.  Instead, companies could either store and process personal data locally on a server in the European Economic Area or in third countries which have been officially recognized as providing an adequate level of protection.  Alternatively, they can base the data transfer on one of the statutory derogations or, in principle, on SCCs or BCRs; however, in the latter two cases, the Austrian DPA reserves the right to assess the adequacy of the level of protection on a case-by-case basis in the framework of the authorization procedure.  Whilst the Austrian DPA has not stated that it would take enforcement action, it might be obliged to do so if it becomes aware of a violation of the Austrian data protection law.
  • Estonia.  Senior officials within the Estonian Data Protection Inspectorate are reported to have put in place an informal enforcement moratorium, and will not “take enforcement actions against enterprises who were using invalidated Safe Harbor — until the moment when the new EU-U.S. Privacy Shield will be available for them.”
  • France.  While the French data protection authority (the “CNIL”) is largely aligned with the opinions expressed by the Article 29 Working Party, it has started to implement enforcement measures.  We understand that the CNIL started sending notices to data controllers as early as November 2015.  The notices remind data controllers that they can no longer rely on the now-defunct Safe Harbor and requested controllers to move to alternative transfer mechanisms.  The CNIL had previously stated that if no alternative basis for transfer is declared to the CNIL by the end of January 2016, the CNIL will assume that transfers of personal data to the U.S. have stopped and that the CNIL reserves the right to take appropriate measures if the conditions for transfer of personal data do not comply with the French Data Protection Law.
  • Germany.  The German data protection authorities responsible for data protection at federal and state level (the “German DPAs”) published a position paper (see here and our blog post here) on the EU-U.S. Safe Harbor in the wake of its invalidation.  Among other things, the German DPAs announced that the validity of SCCs and BCRs is called into question and that they would not issue new authorizations for transfers to the U.S. based on BCRs or data export agreements (essentially, substantively amended SCCs or ad-hoc agreements).  The German DPAs also stated that if they become aware of transfers of personal data exclusively based on the Safe Harbor, they will prohibit such transfers.

This position has also been confirmed in statements issued by individual German DPAs last year and after the public announcement of the Privacy Shield at the beginning of February this year (for instance, for Hessen see here, for Bavaria see here, for North-Rhine Westphalia see here, and for Rhineland-Palatinate see here).  Already in November last year, the Hamburg DPA announced a three-phase approach (see here): as a first step, the Hamburg DPA identified companies that are most likely to transfer personal data to the U.S. and informed them of the implications of the Schrems ruling; between December 2015 and January 2016 the Hamburg DPA issued information requests to those companies asking them whether they do actually transfer personal data to the U.S. and, if so, on which legal basis; and, as a third step, the Hamburg DPA threatened to take enforcement actions starting in February 2016 to prevent illegal data transfers taking place on the basis of the now-defunct Safe Harbor framework.  The most critical position among the German DPAs has been taken by the Schleswig-Holstein DPA (the “ULD”).  In a position paper dated October 14, 2015 (see here), the ULD threatened that it may prohibit or suspend data transfers to the U.S. based on the SCCs by administrative order and impose administrative fines for violations of the Federal Data Protection Act.  The ULD announced that it will examine whether orders against private bodies must be issued and on which basis data transfers to the U.S. must be suspended or banned. Furthermore, it will examine whether private bodies have committed an offence due to the transmission of data to a third country without an adequate level of data protection.

We are not aware of any of the German DPAs having issued any administrative orders prohibiting or suspending data transfers to the U.S. or imposing sanctions therefore.

  • The Netherlands.  Senior officials within the Dutch Data Protection Authority are reported to be taking a pragmatic, “wait-and-see” approach, noting that it “will not take enforcement actions until we have ended our analysis.”
  • Poland.  The Polish data protection authority (Inspector General for Personal Data Protection – “GIODO”) released a statement, prior to the Privacy Shield announcement, confirming that under Polish data protection law, SCCs and BCRs can still be used, but that it will “react to any complaints received… even those submitted before 1 February 2016” (the initial end-date of the Article 29 Working Party enforcement moratorium).
  • Sweden.  Senior officials within the Swedish Data Protection Authority are reported to have put in place an informal enforcement moratorium, the duration of which is uncertain as “for the moment [the Swedish Data Protection Authority is] not taking any such action” (emphasis added).
  • UK.  The UK Information Commissioner’s Officer (“ICO”) has said that it is “clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA”, and that it is not “rushing to use our enforcement powers.  There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent” (see ICO blog post and interim guidance).

Inside Privacy will continue to monitor the respective enforcement positions of the Member State data protection authorities as well as the opinion of the Article 29 Working Party, which we can hopefully expect in the coming weeks.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.