Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:

  • Austria.  The Austrian Data Protection Authority (the “Austrian DPA”) has published FAQs on its website (see here), confirming that data transfers to the U.S. should not take place exclusively on the basis of the Safe Harbor.  Instead, companies could either store and process personal data locally on a server in the European Economic Area or in third countries which have been officially recognized as providing an adequate level of protection.  Alternatively, they can base the data transfer on one of the statutory derogations or, in principle, on SCCs or BCRs; however, in the latter two cases, the Austrian DPA reserves the right to assess the adequacy of the level of protection on a case-by-case basis in the framework of the authorization procedure.  Whilst the Austrian DPA has not stated that it would take enforcement action, it might be obliged to do so if it becomes aware of a violation of the Austrian data protection law.
  • Estonia.  Senior officials within the Estonian Data Protection Inspectorate are reported to have put in place an informal enforcement moratorium, and will not “take enforcement actions against enterprises who were using invalidated Safe Harbor — until the moment when the new EU-U.S. Privacy Shield will be available for them.”
  • France.  While the French data protection authority (the “CNIL”) is largely aligned with the opinions expressed by the Article 29 Working Party, it has started to implement enforcement measures.  We understand that the CNIL started sending notices to data controllers as early as November 2015.  The notices remind data controllers that they can no longer rely on the now-defunct Safe Harbor and requested controllers to move to alternative transfer mechanisms.  The CNIL had previously stated that if no alternative basis for transfer is declared to the CNIL by the end of January 2016, the CNIL will assume that transfers of personal data to the U.S. have stopped and that the CNIL reserves the right to take appropriate measures if the conditions for transfer of personal data do not comply with the French Data Protection Law.
  • Germany.  The German data protection authorities responsible for data protection at federal and state level (the “German DPAs”) published a position paper (see here and our blog post here) on the EU-U.S. Safe Harbor in the wake of its invalidation.  Among other things, the German DPAs announced that the validity of SCCs and BCRs is called into question and that they would not issue new authorizations for transfers to the U.S. based on BCRs or data export agreements (essentially, substantively amended SCCs or ad-hoc agreements).  The German DPAs also stated that if they become aware of transfers of personal data exclusively based on the Safe Harbor, they will prohibit such transfers.

This position has also been confirmed in statements issued by individual German DPAs last year and after the public announcement of the Privacy Shield at the beginning of February this year (for instance, for Hessen see here, for Bavaria see here, for North-Rhine Westphalia see here, and for Rhineland-Palatinate see here).  Already in November last year, the Hamburg DPA announced a three-phase approach (see here): as a first step, the Hamburg DPA identified companies that are most likely to transfer personal data to the U.S. and informed them of the implications of the Schrems ruling; between December 2015 and January 2016 the Hamburg DPA issued information requests to those companies asking them whether they do actually transfer personal data to the U.S. and, if so, on which legal basis; and, as a third step, the Hamburg DPA threatened to take enforcement actions starting in February 2016 to prevent illegal data transfers taking place on the basis of the now-defunct Safe Harbor framework.  The most critical position among the German DPAs has been taken by the Schleswig-Holstein DPA (the “ULD”).  In a position paper dated October 14, 2015 (see here), the ULD threatened that it may prohibit or suspend data transfers to the U.S. based on the SCCs by administrative order and impose administrative fines for violations of the Federal Data Protection Act.  The ULD announced that it will examine whether orders against private bodies must be issued and on which basis data transfers to the U.S. must be suspended or banned. Furthermore, it will examine whether private bodies have committed an offence due to the transmission of data to a third country without an adequate level of data protection.

We are not aware of any of the German DPAs having issued any administrative orders prohibiting or suspending data transfers to the U.S. or imposing sanctions therefore.

  • The Netherlands.  Senior officials within the Dutch Data Protection Authority are reported to be taking a pragmatic, “wait-and-see” approach, noting that it “will not take enforcement actions until we have ended our analysis.”
  • Poland.  The Polish data protection authority (Inspector General for Personal Data Protection – “GIODO”) released a statement, prior to the Privacy Shield announcement, confirming that under Polish data protection law, SCCs and BCRs can still be used, but that it will “react to any complaints received… even those submitted before 1 February 2016” (the initial end-date of the Article 29 Working Party enforcement moratorium).
  • Sweden.  Senior officials within the Swedish Data Protection Authority are reported to have put in place an informal enforcement moratorium, the duration of which is uncertain as “for the moment [the Swedish Data Protection Authority is] not taking any such action” (emphasis added).
  • UK.  The UK Information Commissioner’s Officer (“ICO”) has said that it is “clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA”, and that it is not “rushing to use our enforcement powers.  There is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent” (see ICO blog post and interim guidance).

Inside Privacy will continue to monitor the respective enforcement positions of the Member State data protection authorities as well as the opinion of the Article 29 Working Party, which we can hopefully expect in the coming weeks.

Tags: Article 29 Working Party, Austria, CNIL, Data Transfer, enforcement, Estonia, EU-U.S. Privacy Shield, EU-U.S. Safe Harbor Agreement, Europe, European Union (EU), France, Germany, GIODO, Sweden, The Netherlands, UK Information Commissioner's Office (ICO), United Kingdom (UK)
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
Advising life sciences companies on industry-specific data privacy issues, including:

clinical trials and pharmacovigilance;
digital health products and services; and
engagement with healthcare professionals and marketing programs.

International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:

supervising technical investigations and providing updates to company boards and leaders;
advising on PR and related legal risks following an incident;
engaging with law enforcement and government agencies; and
advising on notification obligations and other legal risks, and representing clients before regulators around the world.

Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less