The data protection authority at the German federal state of Schleswig Holstein has declared that any and all data protection workarounds for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal.
In its first declaration on the post-Schrems legal landscape, the influential DPA says in a written opinion (in German) that only a change in US law can make US companies compliant with European legislation and has advised companies to adjust their business relationships accordingly.
It has warned businesses and governmental bodies that they may be fined up to €300,000 for the transfer of personal data to the US "without a legal basis".
A historic decision in favour of Austrian privacy advocate Max Schrems last week invalidated the “Safe Harbor” agreements that allow US companies to export European personal data. It shifted power away from the European Commission to the national (and in Germany’s case, federal) data protection authorities. Schleswig Holstein has historically been a leader in data protection and privacy, and helped shape EU law. The state went after Facebook – hard – four years ago.
Following the ECJ's Schrems decision, US companies have invoked “model clauses” , or template contracts, in the hope of legitimising the transfer of personal data to countries regarded as unsafe… such as the US. Microsoft and Salesforce have invoked the clauses.
But the ULD (Schleswig-Holstein DPA) says these are no cover - at least not in the northern German state.
“A decision of the Commission on the adequacy of the level of data protection in the United States requires a comprehensive change in US law as well as the conclusion of an international agreement. Because neither changes are currently [under way], both options are eliminated in the short - or medium term,” the DPA reckons.
Last week, open source CEO Rafael Laguna explained that no business using US infrastructure is now safe from being sued by its European customers.
"When a customer sues me, I go to court and find that agreement isn’t worth a dime. Google cannot guarantee what they’re guaranteeing," OpenXchange's Laguna told us.