Yesterday, German federal and state (Länder) data protection authorities ("DPAs") issued a Position Paper following the recent Court of Justice of the European Union ("CJEU") ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.
Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States.
Individual consent may be used as a mechanism for data transfers from Germany to the US, but not where data is transmitted repeatedly, on a large scale or as a routine procedure. Consent for transfers of employee data will only be acceptable in exceptional cases.
Companies are understandably alarmed by the bleak assessment of current data transfer mechanisms outlined by the German DPAs. We nonetheless advise organisations to proceed methodically, and to closely monitor for further guidance from other data protection and governmental authorities. For example, the European Commission confirmed yesterday that it will soon issue guidance on international data transfers following the CJEU decision and that it is confident good progress will be made on a new agreement for transatlantic data flows by mid-November. Read the European Commission's press release here.
Therefore, apart from data transfers based on Safe Harbor (which, according to both the German DPAs and also the Article 29 Working Group, require immediate remediation), a pragmatic approach based on preparedness is most sensible:
While both consent and Model Clause mechanisms are still subject to regulatory scrutiny in light of the Position Paper and the Article 29 Working Party's recent statement, it makes good sense to prepare these items for quick deployment. And it is also worth remembering that the Article 29 Working Party, which is a representative body of all EU data protection authorities including those in Germany, has signalled that authorities will likely wait until the end of January 2016 to flex their enforcement powers.
Read more about some of the practical suggestions we made previously for responding to the CJEU decision here.
We will continue to follow developments on the EU-US trans-Atlantic data transfer pact as details become available. Please check back for continued coverage.
 Some German data protection authorities published statements which are even more extreme, for example, denying the feasibility of any data transfers to the US or requiring a company to seek explicit approval for any data transfers to the US. However, the views of these authorities can, in this respect, be considered not in line with the general view of German DPAs as set out in the Position Paper.