Will Data Transfers between Germany and the US come to an end?
March 13, 2015
6300 kilometers or 3900 miles. This represents the length of the data cable connecting Europe and the US. One click is enough to overcome this huge distance. Many companies are transmitting data from Europe to the US on a daily or even hourly basis. When it comes to personal data, most companies rely on Safe Harbor to transfer personal data to the US and comply with European data protection laws.
The Safe Harbor Principles have been agreed between the EU and US and have been formally accepted in a decision of the Commission of the European Union. Companies have to register and will need to complete a self-assessment to comply with these principles.
In Germany in particular, there has been criticism of the fact that the competent authority to supervise Safe Harbor, the Federal Trade Commission, does not play a sufficiently active role in supervising and enforcing the Safe Harbor principles. The information reported from the Snowden documents increased skepticism in public opinion regarding the approach to privacy in the US.
Already in 2010 the German Conference of State Data Protection Officers (Düsseldorfer Kreis) recommended not to rely on Safe Harbor to transfer data to the US. Recently, certain State Privacy Commissioners in Germany reiterated their view that Safe Harbor is – despite the decision of the European Commission – not a sufficient safeguard to transfer personal data to the US. On 28th January 2015 it became public that the Privacy Commissioner of Berlin and Bremen initiated proceedings against two US companies that are transferring personal data to the US. At this time, the identity of the two companies is unknown. The Privacy Commissioner of Hamburg also announced that proceedings which concern the Safe Harbor principles will be handled strictly in future.
More than 5,000 companies are registered for Safe Harbor. A large number of IT services are rendered under this legal concept. Cloud services or social media platforms are acting under Safe Harbor to offer their services. What does this mean for companies that are transferring personal data from Germany to the US? Does this mean the end for US IT services in the EU? How can companies overcome the uncertainty of their services and business relationships in Europe?
There is a way out but companies need to rethink their data protection concepts. Already existing alternatives such as EU Model Clauses or Binding Corporate Rules are more than valid ways to ensure a data protection level that allows transfers of data outside the EU. Since doubts about Safe Harbor being a valid legal basis for data transfers to the US have been expressed before by officials, companies should act sooner rather than later. With a possible European Data Protection Regulation on the horizon, companies need to prepare for upcoming demands.