There was an announcement this month that two of the local German data protection authorities in Berlin and Bremen have taken action against two US companies that are registered under the US-EU Safe Harbor scheme. The Safe Harbor scheme is in place to protect the flow of data between the EU and US. The two companies have been asked to comment on certain issues the German authorities have raised. There are reports that the German authorities may also develop plans to try to freeze any further data transfers by the two companies between Germany and the US.
This came to light at the Conference of German Federal and State Data Protection Commissioners last month. There was also debate at the conference about whether the Federal Trade Commission in the US (‘the FTC’) have taken enough action to enforce Safe Harbor.
Germany has a somewhat unusual data protection system. Germany has a regional rather than a federal system of data protection where each German state appoints its own data protection regulator.
The action by the German regulators continues a trend of EU debate about the adequacy of Safe Harbor. It was in 2000 that the European Commission issued a decision stating that Safe Harbor provided adequate protection for data transferred from the EU to the US. Since then there has been some debate about whether Safe Harbor goes far enough to protect the data flowing across the Atlantic.
There have been two full reviews of Safe Harbor by the EU Commission in 2002 and 2004. This was followed in 2008 by a critical report by the Australian consultancy firm Galexia that asked the EU and US authorities to increase their efforts to police Safe Harbor.
Then in 2010 an informal group of the German Regulators called the Dusseldorfer Kreis raised their concerns with the Safe Harbor scheme. They said that corporations could no longer take a US organisation’s self-certification under Safe Harbor as conclusive proof of adequate protection of personal data. In addition, the Dusseldorfer Kreis called on the FTC to increase its Safe Harbor enforcement program.
Also in 2010, the Unabhangiges Landezentrum fur Datenschutz Schleswig-Holstein – the data protection authority for Schleswig-Holstein, (‘the ULD’) issued a press release where they said “despite the more than 2000 annual complaints about non-compliance with the safe harbor principles, the Federal Trade Commission (FTC) has prosecuted only seven organisations for falsely claiming safe harbor self-certification.”. The head of the ULD, Dr. Thilo Weichert, spoke out against Safe Harbor. Dr Weichert said that he thought that the Safe Harbor program should be reviewed. The ULD’s claims that more than 2,000 complaints were received each year are disputed by a source close to the FTC. That source felt that the FTC had received only 4 complaints in total up to the time when the ULD made its claims.
In November 2013 the EU Commission made 13 recommendations for the US to improve Safe Harbor. The EU Justice Commissioner Vera Jourova has spoken in recent months of her “strong doubts” on Safe Harbor.
Berlin and Bremen have shown that they are not prepared to take a laissez-faire attitude to US companies receiving data from the EU. There is a trend of increasing intervention on the part of the data protection authorities and companies may find there is more enforcement of Safe Harbor than ever before.
Jonathan Armstrong is a lawyer with Cordery in London where he focusses on regulatory compliance, processes and investigations.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784