Datonomy considers the Germany authorities’ reaction to the PRISM affair, and the wider practical consequences this could have for international transfers being made under the auspices of U.S. Safe Harbor and model contracts.
After the reports about extensive surveillance activities by foreign and European intelligence services, especially by the American National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) and possible transfers of personal data to them by American companies, European data protection authorities are raising their voices. In a letter dated 13 August 2013, the chairman of the Article 29 Working Party expressed his deep concern to the Vice-President of the European Commission, Viviane Reding, urging her to seek for more clarification from the U.S. as well as announcing the intention of the European data protection authorities to conduct own investigations regarding the compliance of foreign and European intelligence programs with EU data protection principles. Concrete actions have however not been taken at an European level yet.
Germany – USA transfer: no new authorisations under Safe Harbor
In Germany, data protection authorities already went a step further or at least announced to do so. “Data protection supervisory authorities will not issue any new permission for data transfer to non-EU countries (including for the use of certain cloud services) and will examine whether such data transfers should be suspended.” With this statement in a press release from 24 July 2013, the Conference of Federal and State Data Protection Commissioners in Germany aroused attention all over Europe. Rumors were spreading whether the German authorities even wanted to “suspend” the EU – U.S. Safe Harbor agreement, which serves as a vital base for transatlantic flows of personal data.
In their press release Federal and State Data Protection Commissioners call on the German government to provide a plausible explanation of how the unlimited access of foreign intelligence services to personal data of persons in Germany is effectively limited in accordance with the principles of Safe Harbor and standard contractual clauses for data that is transferred to countries outside of the European Union. They also address the European Commission and demand a suspension of its decisions on Safe Harbor until further information and notice is provided.
A recap on adequacy – transfer of personal data to the USA
Under the data protection directive 95/46/EC, the transfer of personal data by an European based controller to a third country, which does not ensure an adequate level of protection, is prohibited. In order to ensure an adequate level of protection for personal data that are transferred to the U.S., in 2000, the U.S. government and the European Commission developed the Safe Harbor principles (2000/520/EC) which allow U.S. American based companies to take part in a self-certification program, supervised by the Federal Trade Commission (FTC). The companies will have to comply with to several requirements regarding the processing of personal data. Data transfers to these companies will then automatically be covered by an adequate level of protection. As an alternative to the Safe Harbor regime, the European data exporter and the U.S. data importer can agree on standard contract clauses (Annex of decision 2000/87/EU) previously published by the European Commission. By using these clauses, an adequate level of protection will also be assumed. Permissions by national data protection authorities are generally not required in these cases.
Suspension of data transfers by national authorities
According to their press release, the German authorities will not “issue new permissions” for data transfers to non-EU countries and will examine whether such data transfers should be suspended on the basis of the Safe Harbor framework and the standard contractual clauses. This announcement deserves some clarification:
Firstly, it has to be emphasized that the national data protection authorities may not suspend the whole Safe Harbor principles or the underlying decision of the European Commission. This falls into the European Commission’s area of responsibility. Indeed, the Commission is currently undertaking an assessment of the Safe Harbor principles. Ms. Reding expects a result until the end of this year.
However, the competent authorities within the Member States may exercise their existing powers to suspend data flows to a certain organization that has self-certified its adherence to the principles in order to protect individuals with regard to the processing of their personal data. But in addition, further requirements have to be fulfilled, such as the determination that there is a substantial likelihood that the principles are being violated and the continuing transfer would create an imminent risk of grave harm to data subjects. The same basically applies to the standard contractual clauses.
German national authorities regard these requirements to be fulfilled. Hence, from their point of view, they may use their existing powers to suspend data flows to the U.S. However, whether the principles of Safe Harbor are really violated, is highly questionable (as the full and clear details of the surveillance activities still remain hidden) and would have to be examined closely, especially by the European Commission and a special committee, formed by representatives of the Member States.
Other European data protection authorities do not conform to the view of their German counterparts. The Data Protection Commissioner of Ireland, for example, does not believe that there are grounds for an investigation. And in the UK, the Information Commissioner’s Office (ICO) commented the Article 29 Working Party’s letter to the European Commission by saying that he is “taking a keen interest” in the issue, but until now, has not taken any concrete actions. In Belgium, the Commission de la Protection de la Vie Privée (CPVP) has not yet published any statement in this respect.
German authorities practise what they preach
According to a statement of the data protection commissioner of Berlin, Alexander Dix, from 25 July 2013, the Commissioner is currently not taking applications to authorize transfers to the U.S. any further, or requests information from the applicants as to the measures they take in order to prevent foreign intelligence services to access the information. The data protection commissioner hints however to the possibility, that if a “U.S. provider offers encrypted means of storing data in a cloud, that would be a technical alternative to increase security”.
It has to be kept in mind that a suspension of data transfers to a U.S. company could result in commercial disadvantages and perhaps economic damages for German based companies, which rely on transatlantic transfers of personal data to the U.S. The statement from the data protection commissioner of Berlin shows that data transfers may still be legally possible, but companies will have to make more efforts than before to convince the authorities of an adequate level of protection.
German data protection authorities live up to their fame of tough privacy watchdogs in the European Union. Nevertheless, uncertainties remain whether suspensions of data transfers will in fact be made and whether can legally be justified.
On another level, it will be interesting to observe if and how the German government and the European Commission conform to the demands of the European data protection officers and whether they will adapt or even suspend the existing rules of Safe Harbor or the standard contractual clauses. Finally, the ongoing examinations by the Art. 29 Working Party should be observed carefully, as their conclusions may well have an impact on international data transfers from the EU to the U. S. Regardless of the next events, datonomy readers should follow these developments closely, as the impacts for international business must not be underestimated.