German State Declares Model Contract Clauses Unlawful

By JJ Bollozos, Joseph D. McClendon, and Daniel L. Farris

The Data Protection Authority in the German state of Schleswig Holstein issued a position paper and press release Wednesday in which the DPA warned that data transfers made on the basis of model contract clauses are “no longer permitted.”  Further, the Schleswig Holstein DPA has instructed businesses that they may be fined up to €300,000 for the transfer of personal data to the US “without a legal basis.”  

The Schleswig Holstein DPA is the first to adopt a position many feared might be coming in the wake of the EU Court of Justice Schrems Decision invalidating Safe Harbor.  Applying the Court of Justice’s rationale that data in the U.S. cannot be safe from the NSA or other government surveillance agencies, the Schleswig Holstein DPA has come to the conclusion that model contract clauses cannot provide an adequate level of protection to satisfy EU privacy rights either.  

The CJEU’s decision “on the adequacy of the level of data protection in the United States requires a comprehensive change in US law as well as the conclusion of an international agreement. Because neither changes are currently [under way], both options are eliminated in the short - or medium term,” the DPA said.  Further, the Schleswig Holstein DPA is recommending that companies using standard model contracts immediately cancel them with their U.S. partners, and engage in a complete review of all data transfers, consulting with the DPA in basically every instance.  

While the decision at issue relates only to a single German federal state, it underscores the concerns many have raised since the CJEU’s Schrems decision.  First, the rationale used by the court applies with equal force to other methods of transferring data.  Second, the decision not only puts companies at greater risk of regulatory enforcement, but could create a splintered decentralized approach to privacy and data security across the EU, which would make compliance significantly more difficult.  The Schleswig Holstein announcement also supports the views of some, “that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual’s data on US servers exposes them to lawsuits they can’t win.”  

National data protection authorities from across the EU are set to meet to discuss the CJEU's ruling on Thursday under the auspices of the Article 29 Working Party.  It is not yet clear whether the Schleswig Holstein DPA’s view will represent the standard amongst European DPAs, or is merely an early outlier looking for headlines.  Whatever the case may be, US companies should not delay in reviewing their data transfer practices to ensure compliance as much as possible.  

For assistance in understanding how the ECJ Decision may affect your company, auditing privacy and data security compliance programs, reviewing model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.