Data protection authorities in 10 of the 16 German federal states have begun a coordinated privacy sweep to assess businesses' transfer of personal data to cloud services based outside the EU.

The mass audit is taking in 500 randomly selected companies of various sizes. Their local data protection authorities have presented them with a detailed questionnaire that asks them about their transfers of employee and customer personal data to third countries, in particular the U.S.

If the companies do make such transfers, they have to explain what legal grounds they are using, with options running from standard contractual clauses and consent to the EU-U.S. Privacy Shield agreement and the Safe Harbor deal. Of course, anyone admitting to basing their transfers on Safe Harbor alone is likely to find themselves in trouble, due to its striking-down last year. 

In a joint statement issued Thursday, the DPAs explained that cross-border personal data transfers were growing massively, due to globalization and the rise of software-as-a-service. The types of services referenced in the questionnaire include office apps, cloud storage, email and other communications platforms, customer service ticketing and support systems, and risk management and compliance systems.

The Bavarian data protection authority is one of those taking part in the sweep. Alexander Filip, the watchdog's head of department for international data transfers, told The Privacy Advisor that there were two reasons for conducting such an audit.

"The purpose is, as usual when we are performing such investigations, to get a view about the situation in the market on the one hand, and to increase awareness of the businesses regarding the necessity of using legal grounds for transfers of personal data to third countries," he said.

According to Jana Schönefeld, a spokesperson for the Berlin DPA, German regulators have been "making more and more use of coordinated inspections in recent years." This one is timely, she noted, because it is now a year since the Court of Justice of the European Union struck down Safe Harbor. 

"There have been a lot of discussions about international transfers in the last months, especially with the Privacy Shield coming into effect," Schönefeld said.

Filip suggested that, particularly when it comes to cloud-based service providers, the businesses using such services are not always aware about when their data is exported outside the EU. Nonetheless, he explained, it is their responsibility to know what's happening to that data and figure out whether the transfers are legal. 

"We want businesses to assess and to check themselves first which kind of legal basis they are making use of for different transfers, and we want to know if they have checked that," Filip said.

While the questionnaire mentions a variety of different types of cloud service, it does not demand that businesses specify which ones they use. "We are looking at the data exporters," said Filip. "According to data protection law, it's the data exporter who is responsible for making use of a legal basis for a data transfer. We know that in reality it's very often the cloud providers which offer model contracts to their customers, but from a legal point of view it's the data exporter who is responsible for framing his transfers with a legal basis."

The DPAs are keen to point out the random nature of the audited companies' selection. Filip said the Bavarian authority "tried to choose at random even small businesses with presumably only a few employees, throughout the scale of business sectors and enterprises." Schönefeld said the Berlin DPA was not focusing on tech startups – of which there are many in the German capital – but she did note that "in some cases we addressed companies with whom we have been discussing questions of international transfers before."

It may be that the initiative will help the DPAs scope out the reality on the ground following the tumult of the last year, but so far no-one is talking about this as an enforcement exercise.

Filip said the audit was "just a starting point" and any potential enforcement would depend on the specific circumstances of the company in question, and the type and volume of personal data that is involved. "If there's a serious infringement, that might lead to enforcement action of course," he said. However, he added that most businesses are "ready to stop" illegal transfers when told they are breaching the rules.

"It's possible that the business is not aware of the requirements, so advising is also one of our duties," Filip said.

Asked whether he thought it likely that businesses would have to be told to stop using suppliers that haven't signed up to Privacy Shield, Filip pointed out that, in the Bavarian DPA's experience, "standard contractual clauses are very widespread."

"Most businesses, even in the time of Safe Harbor, made use of standard contractual clauses," he said. "But if a company exports data to a third country without implementing any of the legal grounds, that would be a data transfer which is not legal, and it has to stop. It has to be brought in line very quickly."

Here's the full list of states whose DPAs are carrying out the audit: Bavaria, Berlin, Bremen, Hamburg, Mecklenburg-Vorpommern, Lower Saxony, North-Rhine Westphalia, Rhineland-Palatinate, Saarland and Saxony-Anhalt.

photo credit: stephenjohnbryde magnifying glass macro <06.jpg via photopin (license)