The EU/U.S. Safe Harbor Program is a popular tool for companies that wish to transfer personal data between the EU and the U.S. The EU Commission and the U.S. Department of Commerce negotiated the Safe Harbor in 1999/2000 in order to allow for EU-to-U.S. data flows subject to strict commitments by recipient entities regarding data privacy and security. For years, the Safe Harbor Program has been criticized by European supervisory authorities for an alleged lack of enforcement, and currently, negotiations on a revision to the Safe Harbor Program are pending.
EU/U.S. Safe Harbor Program Perceived As Inadequate
At the European Data Protection Conference at the end of January, Hamburg Data Protection Commissioner Prof. Johannes Caspar and Dr. Dix asserted that U.S. companies do not protect data to the same level as EU companies do, even when U.S. companies certify that they will adhere to the Safe Harbor provisions. They further noted that the U.S. Federal Trade Commission may not be sufficiently investigating complaints, and that there may be inadequate enforcement of the Safe Harbor Program in general.
According to Dr. Dix, only services provided by companies in the EU can adequately comply with applicable EU data protection laws. Even if a U.S. company were to store its data in the EU, it could not ensure that U.S. intelligence agencies would not be able to gain access to that data.
Dr. Dix further announced that the data protection supervisory authorities in Berlin and Bremen already have initiated administrative proceedings against two U.S. companies that base their data transfers on the EU/U.S. Safe Harbor Program. In these proceedings, the supervisory authorities informed the U.S. companies of their concerns on the validity of the data transfers and asked for their response. The authorities have expressed their intent to suspend data transfers between Germany and the U.S. by these companies. Such proceedings should be considered the beginnings of an invigorated enforcement trend that may also capture other companies doing business in Germany. Dr. Dix further noted that upon mere notice of his authority's intent to investigate, two other German companies refrained from using U.S. cloud services.
Additionally, Federal Data Protection Commissioner Andrea Vosshoff warned that the current negotiations between the EU Commission and the U.S. on the Safe Harbor Program are on the brink of an impasse. Though one can speculate that the provocative statements by Vosshoff and Dix may have been made with an eye towards gaining leverage for the EU in the ongoing Safe Harbor Program negotiations, they may very well result in negative effects on U.S. service providers' businesses in Germany.
The now-published administrative proceedings against Safe Harbor-based data transfers are somewhat surprising considering that it is far from clear if the German supervisory authorities would actually be entitled to suspend data transfers. The German data protection supervisory authorities are thus at odds with the European Commission's established position that the Safe Harbor program ensures an adequate level of protection where U.S. entities receive the personal data of EU citizens. In fact, the High Court of Ireland, in a ruling on June 18, 2014, formally asked the European Court of Justice (ECJ) to decide, amongst others, whether an EU-member state supervisory authority may challenge the adequacy findings of the EU Commission on the Safe Harbor Program. The ECJ has not yet responded, but this decision will be highly relevant given the current state of play in Germany.
The positions of the German Data Protection Supervisory Authorities seem to be in line with a recently published update of the Cloud Computing Guideline by the German Data Protection Supervisory Authorities, which is also rather critical of U.S. cloud services.
In light of these developments, global companies should reevaluate their strategies for U.S.-inbound data transfers from European jurisdictions such as Germany. Alternatives approaches to the Safe Harbor Program may be available, including using EU Model Clauses that provide for data protection commitments and that continue to be deemed adequate measures even by the German data protection authorities.
Moreover, companies should properly evaluate whether Cloud Services are actually true "cloud" services that may implicate more specific scrutiny under the German Cloud Computing Guidelines and international data transfer rules. Not every Software as a Service that is marketed as a cloud service actually lacks the transparency and other relevant data protection features for which cloud services are being criticized. Such services thus may not necessarily be subject to the full set of "cloud" specific requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.