U.S. companies may need to consider alternative means to comply with the strict European Data Protection Laws as German data protection authorities take matters into their own hands: the DPAs of Berlin and Bremen are filing proceedings against U.S. companies that allegedly do not comply with the Safe Harbor framework.
When speaking at the European Data Protection Conference in Berlin on 29 January 2015, the current Commissioner for Data Protection of Berlin, Dr. Alexander Dix, stressed that the Safe Harbor decision by the EC (European Commission) in 2000 rubberstamping the Safe Harbor regime must be revoked unless the current practice of data transfers from the EU to the U.S. change significantly.
Put simply, German regulators are sending U.S. companies the message that they need to pull their data protection socks up or find themselves designated an 'unsafe harbor' (at least by these particular regulators). They are not the only regulators to take this view. Our data protection law experts in Munich take a closer look at recent Safe Harbor developments.
Background on "Safe Harbor"
In a nutshell, the EU/U.S. Safe Harbor framework constitutes a popular and easy tool utilized by international companies to transfer personal data between the EU and the U.S. In 2000, the EU Commission published the "Safe Harbor" decision providing means to safely transfer personal data from within the EU into the U.S.
Without the Safe Harbor framework, European companies would fail to comply with the strict data export rules of the EU (unless they fall within any permitted means of transferring personal data outside of the EEA - more on the alternative mechanisms below). As the framework was and still is heavily criticised [see recent statement of the Art. 29 Woking Party], the EC published 13 recommendations to improve the effectiveness of the Safe Harbor framework (for more information on these 13 recommendations and on Safe Harbor read Kirsten Whitfield's alert "Un-Safe Harbor: Is Safe Harbor an adequate means of protecting EU personal data transferred to the US?").
Currently there are around 5,000 U.S. companies certified as compliant with the Safe Harbor framework. A lapse of this framework is likely to have a tremendously negative impact on the data flow between the EU and the U.S., followed by immediate and significant economic loss. It is imperative to avoid this.
However, since the criticism of alleged misuse of personal data by U.S. companies reached a new peak - especially since Edward Snowden had leaked classified information illustrating the extent of data leeching and spying from authorities, including the NSA - German authorities started to deny new permissions for data export into the U.S.
What's the problem?
First and foremost the criticism stresses that the Safe Harbor framework utilizes a self-certification process. U.S. companies can voluntarily self-certify that they will comply with a binding set of principles on an annual basis. Although the arrangement is voluntary, once a company signs up to the Safe Harbor register it assumes various legal obligations which can be enforced by the U.S.' Federal Trade Commission. Concerns over this have been raised on a number of levels, including:
- In order to self-certify, the respective company merely needs to send a letter to the Federal Trade Commission affirming the compliance without further proof of actual compliance.
- Dr. Dix and his fellow speakers emphasised that even if U.S. companies would self-certify that they are in compliance with the Safe Harbor framework, there is no subsequent reconfirmation on an annual basis (or at all) beyond the initial confirmation.
- Additionally, U.S. companies would not protect personal data to the same extent that European companies do, even if they have confirmed they do via a self-certification. Moreover, the Federal Trade Commission does not verify compliance of the self-certified companies with the Safe Harbor framework or adequately enforce any breaches of non-compliance.
- The lack of an independent agency - an oversight committee - to safeguard compliance with the Safe Harbor is also regarded as a key issue.
Taking into account that the reformation of the rules governing the competencies of the secret services or the limitation of their authority was not fruitful, it is understandable that German authorities have decided to take matters in their own hands when it comes to Safe Harbor.
How have the Berlin and Bremen data protection authorities taken matters into their own hands?
In light of the criticism and the lack of progress in proving compliance with the Safe Harbor both the Data Protection Authority (DPA) of Berlin and Bremen, have filed administrative proceedings against two U.S. companies demanding revocation of their Safe Harbor permissions suspension of data transfers. This can only happen if the criteria of Art. 3 (1) b of the Safe Harbor decision are fulfilled, namely:
"if there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond".
It must be stressed that it is far from clear whether the German DPAs actually have the competency to suspend data transfers. Nevertheless, this is a major concern for companies affected by this practice.
By taking the matter in their own hands, the German DPAs follow the lead of a decision made by the High Court of Ireland on 18 June 2014. The High Court had formally asked the European Court of Justice (ECJ) to decide, whether an EU-member state supervisory authority may challenge the adequacy findings of the EU Commission on the Safe Harbor Program. The ECJ has yet to respond, however, the awaited decision could play a big part in supporting the new approach of the German DPAs to file administrative proceedings against U.S. companies.
When speaking of the implications of the current situation, Dr. Dix further mentioned that German DPAs now advise EU-based companies to switch from cooperating with U.S. companies to their EU-based counterparts. So far, two huge Berlin based companies have followed this advice. The German DPAs base their advice to switch to cooperating with European companies, e.g. Cloud solution providers, among others, on the fact that according to the so-called FISA Act, U.S. authorities can order companies to grant them access to desired data by virtue of a so called "gagging order". By virtue of said gagging order, the respective U.S. Company must not disclose that it has received a request by an U.S. authority to disclose personal data and has done so.
Against the background of these recent developments, companies are advised to reconsider their practice of exporting personal data to the U.S. from European jurisdictions, especially Germany, based on Safe Harbor. Data exporters in Europe should satisfy themselves that their Safe Harbor certified 'data importers' do actually comply with the data protection principles they committed to under the Safe Harbor regime.