On April 29, 2010, German data protection authorities issued a resolution regarding the obligations of German data exporters with respect to U.S. data importers that have self-certified under the Safe Harbor program. By requiring additional diligence when transferring data to Safe Harbor-certified entities, the resolution may appear to raise questions with respect to the European Commission’s decision that Safe Harbor certification is sufficient to demonstrate an adequate level of privacy protection.
The decision was rendered by the Düsseldorfer Kreis, a working group comprised of the 16 German federal state DPAs responsible for the private sector. The DPAs concluded that German data exporters may not rely exclusively on the U.S. Department of Commerce’s list of entities that have self-certified to the Safe Harbor program when determining whether a U.S. data importer ensures an “adequate” level of protection for personal data under German law. According to the decision, prior to transferring data from Germany to the U.S., German data exporters must verify whether a self-certified data importer complies with certain minimum Safe Harbor requirements in practice. German data exporters must:
- Check to see when the data importer’s Safe Harbor certification took place. A certification that is more than seven years old is considered invalid.
- Ensure that the data importer complies with its Safe Harbor obligation to provide notice of the data processing to the relevant individuals (notice principle).
- Document the assessment and be able to provide proof upon request by a DPA.
If a data exporter has doubts regarding the data importer’s Safe Harbor compliance following such an assessment, the DPAs recommend using standard contractual clauses or binding corporate rules to ensure adequate protection. In addition, the resolution states that a data exporter should inform the DPA if it determines that the a data importer’s Safe Harbor certification is no longer valid, if the required notice of processing is not being provided to individuals, or if other violations of the Safe Harbor principles are discovered during the assessment.
Under German law, data exporters that fail to carry out the required assessments may be held liable and face sanctions if they transfer data to a U.S. data importer that does not have an adequate level of data protection. It is therefore crucial for German data exporters to evaluate the Safe Harbor status and compliance posture of U.S. data importers by conducting appropriate due diligence prior to any data transfers to the United States.