One way to ensure a transfer of personal data from the EU to the US does not fall foul of Data Protection Directive export controls is to send it to a safe harbor-listed US importer, right? Er..not necessarily, says a club of regional German data protection authorities, as Osborne Clarke Cologne’s Gereon Abendroth reports.
Who: The Dusseldorfer Kreis (association of data protection authorities)
Where: Dusseldorf, Germany
When: May 2010
Law stated as at: 1 July 2010
Safe Harbor Not Safe Any More?
According to a statement of the Düsseldorfer Kreis (the association of German data protection authorities), German companies, when transferring personal data to the U.S., may no longer simply rely on statement from the recipient based in the U.S. that it is Safe Harbor certified. German Companies are rather obliged to check by themselves whether the requirements of data protection are adequately met.
Companies that transfer personal data to other companies outside the EU must ensure that the recipient takes adequate measures to protect the personal data and to achieve a level of data protection adequate to those of EU countries.
There are several ways to comply with this obligation; e.g. international group companies may establish binding corporate rules throughout all group companies ensuring a certain level of data protection within the corporate group. Alternately, companies transferring and receiving personal data may agree on a set of model contract clauses issued by the European Commission. These contractual clauses oblige companies based outside of the EU and receiving personal data to ensure a certain standard of data protection equivalent to European data protection standards. To date, there are two different types of model contracts: (i) one of the contracts governs the transfer of personal data from one data controller to the other data controller; (ii) the other contract is designed for the transfer of personal data from data controller to data processor.
Only for companies based in the U.S., there is a third mechanism called Safe Harbor Principles. Under this, U.S. companies commit themselves to the U.S. Federal Trade Commission (FTC) to comply with data protection standards similar to those in the EU.
The Resolution of the Düsseldorfer Kreis
In its recent resolution, the Düsseldorfer Kreis stated that it has concerns with respect to the effectiveness and enforcement of the Safe Harbor Principles. Therefore, German companies transferring personal data to the U.S. must conduct their own examination on U.S. companies and see for themselves whether an adequate level of data protection is met.
The least that German companies need to do, according to the Düsseldorfer Kreis, is to clarify when the Safe Harbor certification was issued to the respective company and to demand some evidence for this. Any certification older than seven years is not sufficient.
The Düsseldorfer Kreis further requires German companies to verify that the Safe Harbor certified company, after issuance of its certification, is still complying with the Safe Harbor Principles. Unfortunately, the Düsseldorfer Kreis does not provide any guidelines on how German companies may fulfill this obligation.
Moreover, German companies shall request for information/demonstration from the U.S. company, on how it is in line with its duty to provide information according to the Safe Harbor Principles on (i) what personal data is stored and (ii) how it is processed.
General Recommendation for German data exporters
German companies that have been transferring personal information to U.S. companies on the basis of the Safe Harbor Principles should contact the U.S. company and proof of its current Safe Harbor certification and on how compliance with the Safe Harbor Principles is ensured. If any of the evidence points to mere self certification German companies should consult with their legal departments or legal advisors.
For future projects, German companies should impose an obligation on U.S. companies to maintain a valid Safe Harbor certification throughout the contract period and to establish processes (preferably by audit through external companies) to ensure enduring compliance with Safe Harbor requirements and to provide adequate documentation for this.
Consequences for U.S. Data Importers
In light of the recent statement of the Düsseldorfer Kreis, U.S. data importers should be prepared to comply with the requirements set out by the Düsseldorfer Kreis in order not to impose any risks of non-compliance on their customers.
It is advisable to have the respective documentation and evidence available, so U.S. data importers are able to comply with potential requests upon short notice. We also recommend establishing internal policies to be implemented reflecting the Safe Harbor requirements and obtaining certification by external auditors.