Originally published June 17, 2010

Keywords: German companies, transfer of personal data, USA, Federal Data Protection Act, data transfer

When German companies transfer personal data to companies outside the EU then they have to fulfill the stringent requirements of the Federal Data Protection Act. Therefore, in order to ensure a permissible data transfer they must regularly take measures in order to ensure an adequate data protection level by the recipient. The application of the Safe Harbor-principles is one of these measures.

The supervisory authorities responsible for data protection have now stated new requirements for the transfer of personal data, which have quite substantial consequences for those companies doing business in Germany which send data to the USA. Therefore, these companies must be prepared for the fact that the transfer of data on the basis of the Safe Harbor Agreement is only permissible now under stricter requirements – and that the data protection supervisory authority will examine these strict requirements thoroughly.

Safe Harbor Agreement as a Permit for Data Transfer into the USA

Generally the USA do not provide a sufficient level of protection for processing and transferring personal data from Europe. The transfer of personal data from Europe to third countries without an adequate level of data protection is only permissible if it is ensured that an adequate protection regarding the transferred data is ensured. Also, keeping data available for a request from the USA is considered to be a data transfer to a third country without an adequate level of data protection. In 2000 the EU and the USA signed the so called "Safe Harbor" Agreement, an agreement regarding the requirements for a permitted transfer of data from an EU member state to the USA1. The Safe Harbor Agreement enables companies to establish such an appropriate data standard so that they might enter into this agreement and bindingly subject themselves to the Safe Harbor's principles. The procedure for this is not too complicated: companies can register online for this with the US Department of Commerce2. This page also contains a list of the companies, which have subjected themselves to the Safe Harbor rules. The numbers prove that this agreement is a practicable solution for many companies which must transfer data internationally for business reasons: according to a press release from the Federal Commissioner for Data Protection and Freedom of Information dated October 25, 2006 more than 1,000 companies had already entered into the Safe Harbor Agreement.

New Requirements by the Data Protection Supervisory Authority

Now companies must prepare for stricter requirements. The joint panel of the highest supervisory authority for data protection in the private industry – the so called Düsseldorfer Kreis –recently passed an important resolution regarding the transfer of data according to the Safe Harbor principles3. By way of this resolution the supervisory authorities set stricter requirements than previously for the cross-border transfer of data under the Safe Harbor Agreement. German supervisory authorities generally act on the basis of the resolutions of the Düsseldorfer Kreis – hence, companies are well-advised to heed and implement this resolution.

Companies doing business in Germany which transfer data to the USA on the basis of the Safe Harbor are well advised to quickly implement the requirements by the supervisory authorities for data protection. A violation of the Federal Data Protection Act's regulations can lead to fines of up to 300,000 Euro, disgorgement of profits, claims for damages and substantial damage to reputation. Particularly severe violations of the Federal Data Protection Act are punishable by imprisonment of up to two years or fines.

As a rule, the individual supervisory authorities for data protection largely align themselves in accordance with the requirements of the Düsseldorfer Kreis. By way of its resolution the data transfer on the basis of the Safe Harbor Agreement is – in the future – only possible under stricter requirements than hitherto. In its paper the Düsseldorfer Kreis has established the following requirements:

  • Safe Harbor certifications which are more than seven years old will generally no longer be considered valid.
  • The company exporting data to the USA must receive proof from the data recipient how the importing US company is fulfilling its information obligation vis-à-vis the persons affected by the data processing. This is also important so that the data importer in the USA can pass on the information to the person affected by the transfer.
  • Companies exporting data must document an examination of such minimal criteria and provide this to the supervisory authority upon request.

Consequences of the Stricter Supervisory Practice

As a result, German companies transferring personal data based upon the Safe Harbor Agreement to the USA are thereby obligated to verify the adherence to the Safe Harbor principles by their contractual partners. If such verification is not possible then the supervisory authorities recommend ensuring the appropriate data protection level by other means, in particular by using EU standard contractual terms to transfe.

Recommendations

Companies, which transfer personal data to US companies based upon the Safe Harbor Agreement must allow for the supervisory authorities' changed practice if they want to avoid fines, damage to reputation and possible claims for damages by the affected persons.

  1. Demand Proof

     German data exporters should approach their contractual partners immediately and demand respective proof as required by the competent supervisory authorities. This proof should be diligently archived in order to be able to provide it to the supervisory authorities upon request.
  2. Draft Agreements

     When drafting future agreements for the transfer of data based upon the Safe Harbor Agreement German data transferors should be even more diligent in obligating their contractual partners in the USA to abide by the Safe Harbor principles, e.g. by setting up contractual fines when violating data protection principles. Furthermore, it is advisable to agree upon control rights by the data transferor.
  3. Informing Affected Persons

     Additionally, clauses are advisable according to which US contractual partners must regularly throughout the contractual relation prove current certifications and continuously provide proof of how the US company is fulfilling its information obligation vis-à-vis the persons affected by the data processing.

Footnotes

1. Decision 2000/520/EG by the Commission dated July 26, 2000 in accordance with the directive 95/46/EG of the European Parliament and the Council regarding the appropriateness of the protection granted by the "Safe Harbor" principles and the "frequently asked questions" (FAQ) in connection herewith and presented by the US Department of Commerce, ABl. L 215 dated August 25, 2000, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:215:0007:0047:DE:PDF.

2. This list is available at https://www.export.gov/safehrbr/list.aspx.

3. The resolution is available at: https://www.ldi.nrw.de/mainmenu_Service/submenu_Entschliessungsarchiv/Inhalt/Beschluesse_Duesseldorfer_Kreis/Inhalt/2010/Pruefung_der_Selbst-Zertifizierung_des_Datenimporteuers/Beschluss_28_29_04_10.pdf.

Learn more about our Privacy & Security and White Collar Defense & Compliance practices.

Visit us at www.mayerbrown.com.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; and JSM, a Hong Kong partnership, and its associated entities in Asia. The Mayer Brown Practices are known as Mayer Brown JSM in Asia.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Copyright 2010. Mayer Brown LLP, Mayer Brown International LLP, and/or JSM. All rights reserved.