German data protection authorities have recently issued guidelines on the transfer of personal data from Germany to the U.S. under the U.S. Department of Commerce Safe Harbor framework (Safe Harbor Principles).
Under the guidelines published on April 29, 2010, compliance with German data protection requirements has become more challenging for the vast majority of global corporations that rely on Safe Harbor for transfers of personal data for the purpose of their global HR systems, customer databases or reporting hotlines, to name only a few examples. Through their informal association, the Düsseldorfer Kreis, German regulators now maintain that German data exporters may not simply rely on U.S. data importers’ statements that they are Safe Harbor certified and comply with the Safe Harbor Principles. Rather, entities exporting personal data from Germany to the U.S. (data controllers) are now required to actively control compliance with the principles in practice. This includes, at a minimum, obtaining written proof of:
- a Safe Harbor certification which must not be older than seven years, and
- compliance with the Safe Harbor “notice principle” by the U.S. data importer (e.g. by obtaining a copy of the receiving entity’s Safe Harbor notice).
Data exporters must, upon request by the supervisory authorities, provide written documentation of the controls performed to verify that the data importer is in compliance with these minimum requirements. Moreover, data controllers are required to inform the authorities of non-compliance with Safe Harbor Principles by the U.S. entity. Where this occurs, the conclusion of data transfer agreements based on the EU Model Clauses or the implementation of binding corporate rules may serve as alternative ways to achieve an adequate level of data protection by the data importer.
By issuing the new guidelines, the German regulators may well have set off further activity in other EU jurisdictions, as it is likely that data protection authorities in other European jurisdictions will pursue this issue, too. Multinational corporations transferring personal data from Germany to the U.S. would be well advised to check their privacy notices (if they haven’t done so recently) and to implement procedures to satisfy Safe Harbor documentation and control procedures in the Düsseldorfer Kreis’ guidelines immediately. U.S.-based multinational corporations who rely upon Safe Harbor more generally should be prepared for further tightening of procedures for data transfers under Safe Harbor in the future.
