A stricter regime for profiling07 June 2016
German Data Protection Commissioners Push Government Towards Suspension of U.S. – EU Safe Harbor Regime
The official press release of the data protection commissioners expects "the Federal Government to do everything to protect the people in Germany against access to their data by third parties" and asks the Government "to negotiate a high level of data protection and regulation in Brussels which will prevent comprehensive and causeless surveillance by European and non-European authorities". The request to suspend the U.S. - EU Safe Harbor regime is not mentioned explicitly in the press release.
The U.S. – EU Safe Harbor regime allows data controllers to export personal identifiable data from countries of the European Union to the U.S. provided the U.S. recipient is registered under the Safe Harbor regime. The Safe Harbor regime is one of several options to safeguard the "adequate level of data protection" required under the EU Directive 95/46 (and national laws implementing the Directive) for the export of personal data into third countries.
Safe Harbor has been critically viewed by German data protection authorities in the past: in 2010 already, the German data protection authorities issued guidelines which required German companies, prior to exporting personal data to Safe Harbor certified U.S. recipients, only after verifying the recipient's registration status and the recipient's compliance with the information obligations under Safe Harbor, and keeping a record of such verification on file.
The publications by Edward Snowden on the scope of NSA's activities caused significant political discussion in Germany. Reports in Germany referred to about 500 million screened phone calls, emails and chats in Germany monthly (for a population of 80 million). Political pressure made the German Minister of the Interior, Hans-Peter Friedrich, travel to the U.S. with a quest to obtain further information.
The new move could have a significant impact, if it is successful: all companies relying on Safe Harbor for the transfer of personal data from the EU to the U.S. could suddenly face a situation where either such data transfers must be suspended (which is difficult to imagine against the background of globally operated IT systems), or face fines by data protection authorities for unlawful processing of data. Companies would look into short-term alternatives, like using the EU Model Clauses for the transfer of data. In the long-term, sustainable means like Binding Corporate Rules might become even more attractive than they are currently.
It remains to be seen whether the German government endorses this approach by the German data protection commissioners: In the past, the German government supported the U.S. government and defended NSA's activities as useful and proportionate.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016