The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India). The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden – has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.
The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the "EU US Privacy Shield" went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.
Beware Cloud and SaaS
Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.
Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.
What happens next?
The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies' in-house Data Protection Officers to assist them with their requests.
If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses. But planning now is key.
For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.