Czech entities regularly transfer personal data to the United States. These companies often have a US sister or parent company or are using US servers (e.g. for US cloud services). Except for the EU countries, it is in the US where most of the personal data transferred from the Czech Republic ends up.
The European Commission has never acknowledged the United States as a country with comparable level of personal data protection as in the EU. That is an argument for another time! Therefore, most transfers to the US are based on an incorporation of the model clauses issued by the European Commission into the agreement between the Czech data controller and the US recipient or on a public undertaking by the US recipient to observe the so-called “Safe Harbor” principles and its registration with the relevant US authorities.
The Safe Harbor concept is a result of a compromise treaty between the US and the EU entered into for the purpose of facilitating trade between both sides of the Atlantic, while respecting the “cultural specifics” of each in relation to the protection of personal data and privacy in general.
Safe Harbor at Risk
However, the situation has been recently complicated by the scandal regarding the US “secret” monitoring program, PRISM. Information that the United States monitors on a large scale the private communications of foreign (thus also EU) citizens has created a furore in the EU. Discussions on revisiting the rules for personal data transfers to the US occurred immediately. The treatment of data under the Safe Harbor, in particular, has become a thorny subject. The European Parliament has demanded that the European Commission reviews the guarantees given by this program, as it turns out that some companies involved in PRISM have been registered within the Safe Harbor.
However, no one wants to leap to hasty conclusions, either national regulators or the European Commissioner Viviane Reding, who introduced the whole concept of the new EU data protection regulation in 2012. Trade with the US (and the related necessary data sharing) is of crucial significance for the EU and any resulting decrease would damage both parties.
The Czech Office for Personal Data Protection has also been dealing with this issue intensively. In mid-June, it expressed on its website its “concerns” regarding the levels of information revealed through the PRISM program; however, to date, it still has not published any specific instructions or recommendations with respect to personal data transfers to the US.
By contrast, Germany has adopted a stricter position, which other countries may possibly follow. In July this year, the Conference of German Commissioners for Protection of Personal Data issued a press release according to which the Commissioners intend not to issue any further approvals for transfers of personal data to the US. They are also to examine whether to cease even transfers carried out within the Safe Harbor program and the EU model clauses. Their concern is whether, given what is now known of the PRISM program, US companies are in reality able to guarantee a reasonable level of data protection. The German data protection authorities have previously doubted the security of the Safe Harbor treatment in any case, demanding that data controllers transferring the data to US companies registered within the Safe Harbor should verify whether the data recipients do actually follow the Safe Harbor principles.
According to the Commissioners of the individual States in Germany, a majority of the authorities intend to examine existing personal data transfers to the US as well as new applications, and, where necessary, to block new and/or already-commenced data transfers. It is possible that a more lenient attitude may be applied with respect to personal data transfers within corporate holdings, reflecting the presumption that German administrators transferring data to their affiliates in the US are sufficiently aware of the personal data processing standards of the US recipients and that they have a certain level of control over such processing.
Although the German authorities’ approach is not directly applicable in the Czech Republic as yet, it can be taken as a possible guideline for what approach might be expected from the other European regulators in due course, including the Czech authorities.
Therefore, if as a Czech employer you are just a few “clicks” away from transferring personal data to your US partner, consider whether to apply for a ruling from the Office for Personal Data Protection regarding the intended transfer. The Office’s position might differ depending on the type of the personal data, the purpose of its processing and transfer as well as on the nature of the recipient. Although that ruling will not be legally binding, it might help you in the event of any later investigation into your data processing.