Florian Unseld in the Hogan Lovells Munich office prepared this entry. Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.
The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States.
This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed. Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.
The Düsseldorfer Kreis is a working group of representatives from Germany’s sixteen state data protection authorities that provides a uniform "German" approach to data protection questions. It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes.
The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.
The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant. See our previous report on FTC enforcement activity. It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.
What more is needed when the Safe Harbor is used for Germany-US personal data transfers?
German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:
(1) German companies exporting personal data must confirm that the US entity actually is registered on the Safe Harbor, and is not just claiming that it is registered.
(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.
(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.
(4) In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.
European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose — or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis. It remains to be seen whether this additional level of Safe Harbor diligence will be required by other European regulators.