When German companies transfer personal data to companies outside the EU then they have to fulfill the stringent requirements of the Federal Data Protection Act. Therefore, in order to ensure a permissible data transfer they must regularly take measures in order to ensure an adequate data protection level by the recipient. The application of the Safe Harborprinciples is one of these measures.
The supervisory authorities responsible for data protection have now stated new requirements for the transfer of personal data, which have quite substantial consequences for those companies doing business in Germany which send data to the USA. Therefore, these companies must be prepared for the fact that the transfer of data on the basis of the Safe Harbor Agreement is only permissible now under stricter requirements – and that the data protection supervisory authority will examine these strict requirements thoroughly.
Safe Harbor Agreement as a Permit for Data Transfer into the USA
Generally the USA do not provide a sufficient level of protection for processing and transferring personal data from Europe. The transfer of personal data from Europe to third countries without an adequate level of data protection is only permissible if it is ensured that an adequate protection regarding the transferred data is ensured. Also, keeping data available for a request from the USA is considered to be a data transfer to a third country without an adequate level of data protection.
New Requirements by the Data Protection Supervisory Authority
Now companies must prepare for stricter requirements. The joint panel of the highest supervisory authority for data protection in the private industry – the so called Düsseldorfer Kreis –recently passed an important resolution regarding the transfer of data according to the Safe Harbor principles3. By way of this resolution the supervisory authorities set stricter requirements than previously for the cross-border transfer of data under the Safe Harbor Agreement. German supervisory authorities generally act on the basis of the resolutions of the Düsseldorfer Kreis – hence, companies are well-advised to heed and implement this resolution.
Companies doing business in Germany which transfer data to the USA on the basis of the Safe Harbor are well advised to quickly implement the requirements by the supervisory authorities for data protection. A violation of the Federal Data Protection Act’s regulations can lead to fines of up to 300,000 Euro, disgorgement of profits, claims for damages and substantial damage to reputation. Particularly severe violations of the Federal Data Protection Act are punishable by imprisonment of up to two years or fines.
As a rule, the individual supervisory authorities for data protection largely align themselves in accordance with the requirements of the Düsseldorfer Kreis. By way of its resolution the data transfer on the basis of the Safe Harbor Agreement is – in the future – only possible under stricter requirements than hitherto. In its paper the Düsseldorfer Kreis has established the following requirements:
- Safe Harbor certifications which are more than seven years old will generally no longer be considered valid.
- The company exporting data to the USA must receive proof from the data recipient how the importing US company is fulfilling its information obligation vis-à-vis the persons affected by the data processing. This is also important so that the data importer in the USA can pass on the information to the person affected by the transfer.
- Companies exporting data must document an examination of such minimal criteria and provide this to the supervisory authority upon request.
Consequences of the stricter supervisory practice
As a result, German companies transferring personal data based upon the Safe Harbor Agreement to the USA are thereby obligated to verify the adherence to the Safe Harbor principles by their contractual partners. If such verification is not possible then the supervisory authorities recommend ensuring the appropriate data protection level by other means, in particular by using EU standard contractual terms to transfer data.
Companies, which transfer personal data to US companies based upon the Safe Harbor Agreement must allow for the supervisory authorities’ changed practice if they want to avoid fines, damage to reputation and possible claims for damages by the affected persons.
German data exporters should approach their contractual partners immediately and demand respective proof as required by the competent supervisory authorities. This proof should be diligently archived in order to be able to provide it to the supervisory authorities upon request.
2. Draft Agreements
When drafting future agreements for the transfer of data based upon the Safe Harbor Agreement German data transferors should be even more diligent in obligating their contractual partners in the USA to abide by the Safe Harbor principles, e.g. by setting up contractual fines when violating data protection principles. Furthermore, it is advisable to agree upon control rights by the data transferor.
3. Informing Affected Persons
Additionally, clauses are advisable according to which US contractual partners must regularly throughout the contractual relation prove current certifications and continuously provide proof of how the US company is fulfilling its information obligation vis-à-vis the persons affected by the data processing