Michelle Gyves writes:
Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.
News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.
As we reported in the last two weeks, in the wake of the CJEU’s decision, the German data protection authority (DPA) for the state of Schleswig-Holstein had called into question the ability of companies to rely on consent and model contractual clauses to transfer personal data to the United States and, according to unofficial sources, at least two other German DPAs (in Berlin and Breme) were in agreement. Today, the Conference of Data Protection Commissioners (which includes the German federal as well as each of the German state DPAs) has issued a Position Paper indicating that this no longer should be considered an outlier position, at least in Germany.
Read more on Proskauer Privacy Law Blog.
See also Schrems (Safe Harbor) Judgment – German Data Protection Authorities Issue Position Paper on Covington & Burling Inside Privacy.