In a prior post, we noted that US organizations are taking a conservative approach towards the EU-US Privacy Shield Framework (Privacy Shield) based in part on a lack of regulatory guidance and potential future scrutiny. On September 12, the data protection authority (DPA) of North Rhine Westphalia (LDI), Germany issued its own “guidelines“ for data exporters that highlight some of the DPA’s concerns regarding the Privacy Shield.

The German DPA warned companies that all data exporters in its jurisdiction must verify that

  • the data importer must be registered under the Privacy Shield and that such certifications must be valid;
  • the data importer must fulfill its “notice” and “onward transfer obligations”; and
  • the German laws for general controller-processor data processing generally apply (Sec 11 German Data Protection Act).

In addition, the DPA noted that the data exporter needs to document that it has complied with all of these obligations before sending any data to the data importer. Currently, there is no need to notify this DPA, but the DPA states that it will raise any issues with regard to the Privacy Shield directly with the data exporters in their jurisdictions and in the framework of the annual review of the Privacy Shield with the US government.