Multinationals Would Likely File Lawsuits If Germans Challenge U.S.-EU Safe Harbor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

March 31 — Multinationals that rely on the U.S.-European Union Safe Harbor Program are ready to challenge any final enforcement actions handed down by German data protection authorities that seek to restrict personal data transfers under the program, attorneys told Bloomberg BNA.

Although the federal and 13 state DPAs in Germany have the legal power to stop transfers under the program—under which companies can transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the EU Data Protection Directive (95/46/EC)—the ability to use that power is limited, the attorneys said.

The issue has arisen most recently as privacy regulators in the German states of Berlin and Bremen announced they are investigating whether data transfers by certain companies in Germany to the U.S. under the U.S.-EU Safe Harbor Program meet EU data protection standards.

Bremen Data Protection Commissioner Imke Sommer and Joachim-Martin Mehlitz, a spokesman for Berlin's DPA, confirmed to Bloomberg BNA that they are investigating two unnamed Safe Harbor-certified companies and have initiated “administrative proceedings.”

“Eventually this is likely to be decided in German courts,” Tim Wybitul, a partner in Hogan Lovells LLP's Frankfurt office, told BNA. “For a couple of global or transnational companies, a negative decision by the local DPA is just not acceptable because it would be a major business hindrance.”

Over the past several months, there has been a broader move toward a more activist data privacy agenda in Germany fueled by Edward Snowden's revelations about the scope of the U.S. National Security Agency's surveillance activities. Some DPAs and politicians have said a prohibition of transfers under the program is warranted.

DPAs Have Limited Power 

Although national data protection authorities can't directly challenge data transfer under the bilateral safe harbor regime as a whole, those DPAs do have the power to suspend data flows to the U.S., Jörg Hladjk, counsel at Hunton & Williams LLP in Brussels, told Bloomberg BNA. But the bar to exercise that authority is high, he said.

“The Safe Harbor decision clearly states that DPAs based on their existing powers under local law, may suspend data flows but only under certain conditions,” Hladjk said. In 2000, the European Commission, the EU's administrative arm, ruled that the U.S.-EU Safe Harbor Program provided adequate privacy protection for personal data. “And this is where it becomes really interesting because it doesn't seem to be fully clear at this point in time on which legal basis the DPAs are looking into these cases.”

According to a commission communication from Nov. 27, 2013, the 2000 decision allows for data transfers to be suspended only when the U.S. Federal Trade Commission, which has enforcement authority over the program in the U.S., decides a company is violating its privacy promises made to participate in the program, or:

(b) there is a substantial likelihood that the Safe Harbor Privacy Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the company with notice and an opportunity to respond.

 

Following revelations regarding the NSA's targeting of Europeans in their respective countries, German DPAs led the charge in questioning whether the U.S.-EU Safe Harbor Program was still viable if data transferred to the U.S. became subject to access by the U.S. government. They said there was “a substantial likelihood” that EU data protection principles were not being upheld and threatened to stop data transfers outside the country.

That position was echoed soon thereafter by the Article 29 Working Party of data protection officials from the 28 EU member states in a letter to the European Commission.

Berlin's data protection commissioner, Alexander Dix, reiterated the point at a European Data Protection Day event in Germany's capital Jan. 28, where he and the DPA from the state of Hamburg declared the U.S.-EU Safe Harbor Program “dead”.

Status of Bremen, Berlin Proceedings 

Sommer, the Bremen DPA, said of data being transferred to the U.S. that she “saw a substantial likelihood that the data is not secure,” resulting in the agency using its powers to launch administrative proceedings involving one firm in autumn 2014.

The proceedings are in a hearing stage and will take some time before a decision is made, due to the highly complex material, she said.

Mehlitz, the Berlin DPA spokesman, said a decision is expected in the Berlin case soon after the Berlin DPA has reviewed a response submitted by the unnamed company in question.

According to the spokesman, the agency was inspecting the company for another reason, and the “question of data transfers to the U.S. came up.” He said he couldn't divulge the nature of the company's activities.

Hladjk said it remains unclear why these companies were singled out for enforcement action. The Bremen and Berlin DPAs are trying to “send a strong signal that there are consequences if they don't like your data transfers to the U.S.,” he said.

Move Away From U.S. Cloud Services?

A growing number of companies, including law firms, are quietly opting out of cloud storage solutions in the U.S. and data transfers to the U.S., particularly after the Snowden revelations, Sommer told BNA.

“They are doing so because in their eyes not just personal data is in danger, but also business and trade secrets,” she said.

Wybitul said some German and Europe-based companies are having second thoughts about using U.S.-based cloud providers, but it depends on the kind of data a firm handles. Furthermore, some U.S. providers are already offering EU-based cloud services in reaction to concerns raised by German and other EU DPAs, he said.

“I wouldn't say it's a general trend. Some firms are reluctant to share critical data with U.S. colleagues or save it on U.S. servers, Wybitul said.

“For instance, whistle-blowing hotline servers, attorney client communication or compliance databases often contain information which some firms have reasons prefer to store onshore,” he said.

Reining In DPA Rhetoric 

In at least one instance, a company filed a lawsuit against a German DPA regarding the regulator's public statements about the permissibility of the company's data transfers.

In November 2013, the Schleswig-Holstein Administrative Court issued a gag order against Thilo Weichert, the state's data protection commissioner, for his characterization of pharmacy data processing center VSA's handling of patient data.

Weichert had told news media outlets that VSA was engaged in one of the “biggest data scandals post World War Two.”

He said VSA was selling patient and prescription data to market research institutions such as U.S. firm IMS Health. Although selling the data wasn't illegal, certain requirements—such as sufficient data anonymization—have to be met, he charged.

VSA is based in the southern German state of Bavaria.

Weichert's media statements weren't permissible, the court said, noting that Weichert had no authority over data protection issues outside his state.

The Bavarian DPA had already inspected VSA's procedures and found them lawful, the court said.

To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com