HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

• Email This
• Print

 Florian Unseld in the Hogan Lovells Munich office prepared this entry.  Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

(1) German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

(4)  In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

• Email This
• Print