All Data Transfers to U.S. Suspect: German Office

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

Oct. 15 — Companies which transfer data from the German state of Schleswig-Holstein to the U.S. may face sanctions if the transfers lack an adequate legal basis, the data protection authority for the German state said in a position paper released Oct. 14.

All data transfers to the U.S., not just those previously made under the invalidated U.S.-EU Safe Harbor Program, may subject companies to penalties—including fines of up to 300,000 euros ($342,410)— according to the DPA.

Entities seeking to transfer data outside of the European Union cannot necessarily safely use alternative data transfer mechanisms to Safe Harbor given the European Court of Justice's ruling nullifying the program, the DPA said. That stance heightens the uncertainty about privacy enforcement—at least from Schleswig-Holstein that U.S. companies face now that Safe Harbor has been discarded.

The DPA disagreed with the European Commission, the EU's executive arm, which has indicated that alternative data transfer mechanisms, such as data subject consent, contracts and model contractual clauses, could be used as alternatives to Safe Harbor. The ECJ, the EU's top court, cited high-level protections under the EU Charter of Fundamental Rights as a basis for finding that the Safe Harbor provided an inadequate level of privacy protection, the DPA said. That basis has “consequences” for other legal instruments used to justify a data transfer to the U.S. and makes a “reevaluation” of these necessary.

“In light of the tough standards the court set in its judgment, a lasting solution can only come about with a significant change in U.S. law,” Marit Hansen, head of the DPA said in an Oct. 14 statement accompanying the position paper.

“Businesses in Schleswig-Holstein which transfer personal data to the United States should review their procedures as quickly as possible, and consider alternatives to the processing of personal data in the United States. This doesn't just apply to those transfers that were based on the Safe Harbor Principles but to every transmission to the U.S.,” he said.

Legal Basis Not Guaranteed 

Data subject informed consent requires not only an awareness of the purpose of the data transfers but also the risks, the position paper said. Therefore, data subjects must be offered information on the absence of an effective data protection regime in the U.S., the power of the U.S. government to access the data and the lack of rights and legal protections for the data subject, the DPA said.

The U.S. fails to follow the principles of purpose limitation and necessity enshrined in EU data protection law, the position paper said.

The DPA added that contractual data transfers to the U.S. agreed to between the data subject and data controller wouldn't necessarily provide a legal basis where employee personal data is involved because the employee would lack “freedom of choice” regarding the transfer of his or her data.

Standard contractual clauses would provide a legal basis for data transfers to the U.S. only if the U.S. entity receiving the data agreed that no U.S. laws would prevent it from adhering to EU data protection rules, the position paper said. The DPA also said that the entity transferring the data must suspend the transfer if it believes that such a statement is untrue.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com