The position of a German privacy authority challenging data transfers under the EU model clauses following the Safe Harbor decision of the ECJ created a higher level of uncertainty.The European Court of Justice invalidated the European Commission decision approving the Safe Harbor privacy principles for the transfers of personal data to the United States. This circumstance led most of our clients to start quickly executing the EU model clauses as an alternative to the Safe Harbor principles.
However, the Independent Centre for Privacy Protection of the Federal State Schleswig-Holstein, one of the seventeen data protection authorities in Germany, published its position paper on the Safe Harbor decision where it required companies exporting data to the US under the EU Model clauses to terminate or at least suspend such practice given the access rights that US authorities have on data transferred even under such type of agreement.
While most of the European privacy authorities had been very reluctant in taking a firm position asking for consolidated guidelines to be issued at the European level, it seems that such German privacy authority has taken the view that even the EU Model clauses are not a valid tool to transfer personal data to the United States. And the same authority also established that consent cannot be validly given by the data subjects for data transfers to the US which placed companies in a very difficult position.
Hopefully there will be some European guidelines to be issued soon on how to handle the matter, but in the meantime companies might consider to divert their data traffic to servers in the European Union so that they can avoid fines for breach of privacy laws.