After the decision of October 6, 2015, of the Court of Justice of the EU (CJEU) invalidating the decision from the EU Commission (Decision 2000/520) on the Safe Harbor, transfer of personal data to the U.S. based on Standard Contractual Clauses and other means provided by article 26 of the Directive 95/46 are in principle still valid. Will this remain? The Schleswig-Holstein (Germany) Data Protection Authority (DPA) is the first DPA to officially express in a position paper (October 14, 2015) that it could use its power to suspend or prohibit these transfers. The argument of this DPA is in line with the issues that the CJEU pointed out in its decision of October 6, 2015; the U.S. does not offer the required level of protection for two main reasons:
- The U.S. authorizes, on a general basis, storage of all personal data of all persons whose data are transferred from the EU without differentiation, limitation or exception being made in light of the objective pursued and without objective criteria to limit the access of public authorities to the data and its subsequent use.
- The U.S. does not provide legal avenues for individuals to access their personal data or to obtain rectification or erasure of such data; this compromises the essence of the fundamental right to effective judicial protection, such protection being inherent in the existence of the rule of law.
Since these shortcomings can be solved only by a modification of the U.S. legal landscape, this DPA considers that it could suspend or prohibit personal data to the U.S. based on Standard Contractual Clauses and other means of transfer.
For more information on the EU-US transfers, please also refer to the following prior Password Protected blog posts:
CJEU Declares the EU Commission Safe Harbor Decision Invalid
Advocate General Bot Proposes That CJEU Declare the Safe Harbor Invalid
European Hearing on the Future of Safe Harbor