According to reports by the German business newspaper Handelsblatt, the German data protection commissioners have sent a letter to the German chancellor Angela Merkel, asking her to push the European Union to suspend the U.S. – EU Safe Harbor regime because of the recently disclosed NSA activities. This letter dates from July 23 and is signed by the Federal Commissioner for Data Protection and Information Freedom, as well as by the State data protection commissioners. Background to this request are the publications on NSA’s activities with regard to personal data of European including German citizens: NSA “with high probability” accesses personal data “across the board”. The officials argue that the European Union should suspend the Safe Harbor regime until the facts are cleared.
The official press release of the data protection commissioners expects “the Federal Government to do everything to protect the people in Germany against access to their data by third parties” and asks the Government “to negotiate a high level of data protection and regulation in Brussels which will prevent comprehensive and causeless surveillance by European and non-European authorities”. The request to suspend the U.S. – EU Safe Harbor regime is not mentioned explicitly in the press release.
The U.S. – EU Safe Harbor regime allows data controllers to export personal identifiable data from countries of the European Union to the U.S. provided the U.S. recipient is registered under the Safe Harbor regime. The Safe Harbor regime is one of several options to safeguard the “adequate level of data protection” required under the EU Directive 95/46 (and national laws implementing the Directive) for the export of personal data into third countries.
Safe Harbor has been critically viewed by German data protection authorities in the past: in 2010 already, the German data protection authorities issued guidelines which required German companies, prior to exporting personal data to Safe Harbor certified U.S. recipients, only after verifying the recipient’s registration status and the recipient’s compliance with the information obligations under Safe Harbor, and keeping a record of such verification on file.
The publications by Edward Snowden on the scope of NSA’s activities caused significant political discussion in Germany. Reports in Germany referred to about 500 million screened phone calls, emails and chats in Germany monthly (for a population of 80 million). Political pressure made the German Minister of the Interior, Hans-Peter Friedrich, travel to the U.S. with a quest to obtain further information.
The new move could have a significant impact, if it is successful: all companies relying on Safe Harbor for the transfer of personal data from the EU to the U.S. could suddenly face a situation where either such data transfers must be suspended (which is difficult to imagine against the background of globally operated IT systems), or face fines by data protection authorities for unlawful processing of data. Companies would look into short-term alternatives, like using the EU Model Clauses for the transfer of data. In the long-term, sustainable means like Binding Corporate Rules might become even more attractive than they are currently.
It remains to be seen whether the German government endorses this approach by the German data protection commissioners: In the past, the German government supported the U.S. government and defended NSA’s activities as useful and proportionate.