German Privacy Watchdogs Require More Scrutiny When Transferring Data to the United States Under the Safe Harbor

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany’s sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

1. German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

2. There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

3. The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

4. In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose — or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

Authored by Florian Unseld.