After the European Court of Justice invalidated the EU-U.S. Safe Harbor Framework for data transfers, many companies shifted their focus to the two remaining methods to legitimize data transfers: contracts and corporate rules. Now those two alternatives are also in jeopardy, as they are being questioned by German data protection authorities.
The German federal and state data protection authorities announced that they will not approve transfers of data to the U.S. on the basis of binding corporate rules and or data export contracts, largely seen as the last remaining options for data transfers out of the EU. In a position paper, the German consortium of data authorities also stated that they would be exercising their audit powers over contractual clauses, and that the exportation of employee and third-party data to the U.S. could be done pursuant to consent in only exceptional cases.
The group noted that consent to the transfer of personal data may be acceptable more or less on an individual basis; that data transfer must not be repeated, en masse or done routinely. The data protection authorities echoed the call for a right of redress for EU citizens whose data is being transferred to the United States.
The waterfall impact of the ECJ ruling rolls on. As U.S. companies look to shore up contracts or corporate rules in the interim, they may be facing a new challenge to data transfers out of the EU.