Ten state German data protection authorities announced on 3 November 2016 that they would be conducting a review of approximately 500 companies in respect of their international transfers of personal data. Under EU data protection laws, there is a general prohibition on transfers of personal data to countries outside the European Economic Area (“EEA“), which do not ensure an adequate level of protection, such as the US, unless certain exemptions apply. Exemptions include, for example, consent of the data subjects, EU-US Privacy Shield certification, Binding Corporate Rules and EU data transfer agreements known as “Model Contracts.”

The audit initiative is consistent with recent enforcement action and policy statements repeatedly made by several German data protection authorities in the wake of the invalidation of the Safe Harbor in the fall of 2015. The Privacy Shield has since replaced Safe Harbor, available for certification as of August 1, 2016.

We understand that the 500 companies will be randomly selected for the audit and according to the Bavarian data protection authority “great importance [has been placed] in involving companies of different sizes and different sectors.” Those companies selected will receive requests in due course to provide product and service specific information as well as the legal basis on which they transfer personal data outside of the EEA. The looming audits highlight the importance of ensuring robust privacy programs are in place, and attending to global international data transfer solutions despite ongoing scrutiny over key transfer solutions Model Contracts and Privacy Shield.