In 2000, the European Union and the US Department of Commerce agreed to the Safe Harbor framework that includes principles governing the protection of personal data transferred to a US-based company that self-certifies compliance to the Safe Harbor Principles. Compliance with the Principles is deemed by the EU to provide an adequate level of protection for the processing of personal data. Transfers of personal data outside the European Economic Area are prohibited unless adequate measures to protect the data are implemented, and the Safe Harbor framework is one method ensuring adequate protection for transfers of personal data from the EU to the United States. The Department of Commerce publishes a list on the Internet of all companies that have self-certified as Safe Harbor, including information on the status of the certification and on the type of personal data covered by the certification.
On 28/29 April 2010, the "Düsseldorfer Kreis," a working group of the German data-protection authorities ("DPAs"), issued a decision stating that data exporters in Germany may not rely solely on the published Safe Harbor list to determine if a data importer complies with the Safe Harbor Principles. Companies seeking to export data must (i) conduct minimum checks before they transfer data to a company listed on the U.S. Department of Commerce Safe Harbor website as certified, and (ii) request verification of compliance with the Safe Harbor Principles. The Düsseldorfer Kreis recommended checking the date of when the U.S. company certified, and further suggested that if the self certification dates back more than seven years, the self certification should be considered invalid. In addition, the Düsseldorfer Kreis demands that the exporter requests from the importer, information and evidence as to how the importer complies with its notice obligations to those individuals whose personal data is to be transferred. This is of particular importance because the German data exporter must convey this information to the data subjects so that they can fully exercise their rights under the German data protection law.
Data exporters must document their review and, upon request of one of the DPAs, show proof of the review having been conducted. The DPAs recommend the implementation of model clauses or corporate binding rules instead of relying on the Safe Harbor Principles if, after review, the exporter doubts the importer's compliance with the Principles. They also ask to be informed of an expiration of the self certification and of other breaches of the Safe Harbor Principles by a listed company.
The decisions of the Düsseldorfer Kreis are not binding on the DPAs or companies, but it is highly likely that they will find a way into the future actions of the DPAs. Although the German Federal Data Protection Act does not contain an obligation to review whether a proposed importer warrants and maintains an adequate level of protection, the DPA can be expected to construe the relevant provisions of the German Federal Data Protection Act in light of the Düsseldorfer Kreis decision.
German companies that intend to export personal data to companies in the United States should therefore not rely on the self certification alone, but should ask their prospective data importer to provide factual evidence of compliance with the Safe Harbor Principles. Failure to do so may result in administrative proceedings against the German exporter, and potentially in fines of up to €300,000 or more, if the amount of the fine is lower than the advantage gained from the transfer.