Transfer of Employees’ Personal Data from Germany to the United States under German Data Privacy Law

By Nicolas Roggel, Dr. Friederike Gräfin von Brühl, K&L Gates, Berlin


Following the ECJ’s decision in the “Schrems” case which has invalidated the Safe Harbor framework (click here for our firm’s recent alert on this matter) multinational corporations may now face profound privacy law related compliance issues in a multitude of jurisdictions.

In the Schrems decision, the ECJ held that the widespread practice of U.S. companies to self-certify under the Safe Harbor standards in order to legitimize data transfers from EU companies to U.S. companies does not provide for an adequate level of data protection. As a result the court held that the Safe Harbor principles are invalid and thus shattered the legal basis for the data transfer from countless EU entities to U.S. entities. The ECJ substantiates its decision with the fact that all personal data stored in the United States is subject to almost unrestricted and unpredictable access by U.S. authorities, that the data subject has no legal way to prevent this access, and that subordination under the Safe Harbor statute does not mitigate this threat. The ECJ considers this situation to be a major and unjustifiable violation of EU citizens’ fundamental rights and requires local data protection authorities to assess the admissibility of data transfers without relying on the subordination of U.S. companies under the Safe Harbor regime.

Click here to read the full article.

Copyright © 2022, K&L Gates LLP. All Rights Reserved.