A German regional personal data regulator has advised data controllers on his patch that if they are looking to export personal data to the US, they cannot simply rely on the importer being on the US Government “Safe Harbor” list. Does the regulator have a point and how should UK data controllers view this, asks Mark Webber.
Who: Data Protection Authority of Schleswig-Holstein
When: 23 July 2010
Law stated as at: 31 August 2010
Ten years ago, the "Safe Harbor Agreement" was signed between the European Union and the United States, agreeing a set of seven principles which, if complied with, would provide an adequate level of protection for the transfer of personal data from EU member states to the U.S.. In order to fall within the Safe Harbor Agreement, a U.S. company must go through a self-certification process of adhering to the principles.
Early uptake by US business was slow but gradually Safe Harbor became the recognised route personal data transfer compliance for many of the world's largest companies.
Why do German data regulators see the "Harbor" as unsafe?
On 23 July 2010 the Data Protection Authority ("DPA") of Schleswig-Holstein (Germany has a regional system of data-protection regulation) issued a statement entitled "10th Anniversary of Sate Harbor – many reasons to act, but none to celebrate". The statement highlights findings of the Australian privacy researcher Chris Connolly, which were presented to a conference in Cambridge on 5 July 2010. According to Connolly's findings, as quoted in the statement:
- 2,170 U.S. companies claim to be safe harbor privileged, but of these 388 were not even registered with the department of Commerce;
- among the registered companies, 181 certificates were found not to be current due to lapse of time;
- the check on the seventh principle concerning enforcement showed that 940 out of the 2,170 companies do not provide information on how to enforce individuals' rights;
- 314 companies provide a dispute resolution scheme that costs a prohibitive $2,000 – $4,000, making it hardly surprising that not a single complaint procedure has been carried out; and
- despite more than 2,000 annual complaints about non-compliance with the Safe Harbour principles, the Federal Trade Commission as prosecuted only 7 organisations for falsely claiming safe harbor self-certification.
The detailed results of the study will be published this month.
The concluding paragraph of the statement begins: "From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately. Due to the close economic relations nobody in the EU seems to have the courage to do it. The least that should be done is to demand from the U.S. short term positive evidence concerning enforcement of the Safe Harbor principles."
These are strong words, and they echo the sentiments of an earlier German DPA resolution given on 28/29 April 2010. The April resolution was issued on that occasion by the Düsseldofer Kreis, which is a working group of representatives from Germany's sixteen state DPAs that provides a uniform approach to data protection matters.
According to the Düsseldofer Kreis, representation by a U.S. entity that it is Safe Harbor certified is not now enough, because, in its view, European and U.S. regulators do not ensure that U.S. companies comply with self-certification. Prior to transferring personal data from German companies to the U.S., German data exporters must therefore verify whether a U.S. self-certified data importer complies with certain minimum Safe Harbor requirements. Just the kind of due diligence you may expect a prudent data exporter concerned with compliance may do in any event (contrast to an alternative method of data transfer compliance, the Model Clauses and the "adequacy review" required by the Controller to Controller clauses (Set II)).
In the Düsseldofer Kreis's view, the German data exporter needs to:
- confirm that the U.S. company actually is registered on the Safe Harbor and that this certification is not more than 7 years old (one older than this is considered invalid);
- ensure that the U.S. company complies with its Safe Harbor obligation to provide notice of the data processing to the relevant individuals;
- document the assessment and be able to provide the documentation to the Authority upon request; and
- notify the Authority of any infringement of the Safe Harbor Principles.
What does this mean for you?
Resolutions of the Düsseldofer Kreis are not legally binding, but are normally acted on by German supervisory authorities, so companies may in time need to consider conforming to the four points above if they are transferring data on German citizens to the U.S.
Why this matters:
As explained above, although they mirror some of the general sentiment muttered toward Safe Harbor in closed company, these opinions from Germany are not legally binding, and it's too early to say whether legislation will follow on from these two publications. Additionally, while the occasional grumble may arise from within European we have (as yet at least) no sign that the European Commission feels the same way about one of its current recognised approaches and routes compliance for the transfer of personal data to the US.
Are these the last strong words on the tenth anniversary of Safe Harbor? Watch this space!
Link to the Schleswig-Holstein statement (in English):
Link to the April 2010 Decision (in German):
Osborne Clarke, Thames Valley