In Wake of PRISM, German DPAs Threaten To Halt Data Transfers to Non-EU Countries

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti  


BERLIN--Companies doing business in Germany are likely to face additional bureaucratic hurdles involving new data transfers to countries outside the European Union--or have their attempts to move data halted entirely, attorneys told BNA July 25.

In the wake of revelations about the U.S. National Security Agency's PRISM internet surveillance program, German data protection authorities July 24 announced a crackdown on privacy violations involving countries outside the European Union and called for the German government to suspend participation in the U.S.-EU Safe Harbor Program.

Germany's 16 state data protection commissioners, along with Federal Data Protection Commissioner Peter Schaar, said in the statement that they would not approve data transfers until the German government demonstrated that foreign intelligence services' access to German information is limited in a way that complies with the main principles of data protection law--“necessity, proportionality, and limitation to purpose.”

“We are receiving applications to authorize transfers, and we're either not taking these applications any further, or we are posing questions to the applicants as to the measures they are taking in order to prevent foreign intelligence services to access this communication,” Alexander Dix, data protection commissioner for Berlin, told BNA July 25.

Jörg Hladjk of Hunton & Williams LLP, in Brussels, told BNA July 25 that German DPAs are legally empowered to stop company data transfers as they see fit.

The End of Safe Harbor?

Under the EU Data Protection Directive (95/46/EC), the personal information of EU citizens may be transferred out of the 28 member state bloc only if the European Commission deems the receiving country's data protection regime to be “adequate.”

The Commission granted adequacy status to the U.S.-EU Safe Harbor Program in 2000. Under the program, U.S. companies self-certify to the Commerce Department that they will abide by EU data protection principles.

The Commission has also recognized alternative means for companies to transfer information in compliance with the Data Protection Directive, such as binding corporate contracts, or model contract clauses.

“If companies apply for new data transfers, the data protection commissioners have the authority to say no,” Hladjk said.

“Guarantees companies have provided in the past like Safe Harbor certification in the U.S. or an EU model contract approved by the European Commission … might not be acceptable anymore,” he added.

Because it is unlikely that companies will be able to stop the NSA's surveillance program, or demonstrate to the German DPAs that they have incorporated sufficient privacy protection to safeguard information from being accessed by foreign intelligence services, means companies are in a “severely difficult” position, Hladjk said.

Companies Bear Responsibility

“Companies who transfer personal data to the U.S. bear the responsibility for data,” Imke Sommer, chairperson of the Conference of Data Protection Commissioners, and the data protection commissioner for the city-state of Bremen, said in the group's statement.

“Like everyone else in Germany, [companies] also have to be interested in ensuring personal data flows are not monitored by intelligence services on a large scale without due cause,” she said.

The DPA officials said their tightening of the rules would pressure companies to react sooner rather than later to the threats posed by foreign intelligence surveillance.

“I'm sure companies will have to come up with a solution, it is in their economic interest,” Dix said.

“If a U.S. provider offers encrypted means of storing [data] in a cloud, that would be a technical alternative to increase security. We would consider these measures as we think about whether to grant permission for a data transfer,” he said.

More important than pressuring companies to find ways to ensure their data transfers are protected from intelligence agency surveillance, Dix stressed, the DPAs are looking to move the German federal government to take steps to ensure that the reach of foreign intelligence services into German data does not overstep EU data protection laws.

“I am confident that the federal government will react,” he said. “Some ministers have already made proposals for an international treaty for an addition to the U.N. Covenant on civil and political rights--that is one possible way forward,” he said.

“But in the meantime, we need an agreement within the government about what intelligence services should be allowed to do until an international treaty comes into force,” Dix added.

At a recent conference sponsored by the Department of Commerce's International Trade Administration, U.S. officials touted the continuing viability of the U.S.-EU Safe Harbor Program (see related report).