Data Protection Report - Norton Rose Fulbright

On February 26, 2016,  Article 29 Working Party member and head of the Hamburg Data Protection Authority, Prof. Dr. Johannes Caspar, again spoke at an event about the consequences of the invalidation of the Safe Harbor, emphasizing his position on the transfer of personal data from the EU to the US.

Caspar made it clear that, in his view, both the EU Standard Contractual Clauses (Model Clauses) as well as Binding Corporate Rules (BCRs) are most certainly not sufficient to warrant an appropriate level of data protection for the import of EU data into the US. A definitive decision of the European data protection authorities (DPAs) is expected on April 12, 2016.

Caspar suggested several possible solutions for the dilemma that companies relying on such transfer mechanisms are currently facing. First, the EU data could by anonymized before transfer, which would render the data non-personal. The second option might be to use strong encryption techniques, provided that US authorities would not be able to obtain the encryption key. In this context, Caspar applauded the currently forming cooperation between Microsoft and Deutsche Telekom to set up German-based cloud services to keep personal data within the EU.

Interestingly, following previous statements highly doubting the sufficiency of the EU-US Privacy Shield, Caspar has also demanded that the German Federal Minister of Justice introduce a national regulation which would empower Germany’s national DPAs to bring the EU-US Privacy Shield before the courts. He expects such regulation to be implemented soon.

Following the Court of Justice of the European Union (CJEU)’s decision on Safe Harbor, the Hamburg DPA wrote to 38 Hamburg-based companies that were Safe Harbor certified in the US. According to Caspar, a number of the recipient companies expressed deviating views on the issue of cross-border data transfer, which causes the need for further investigation.

Commenting on the timeframe for adopting the General Data Protection Regulation, Caspar observed that the maximum fine available under current German data protection law (EUR 300,000) has a relatively low financial impact on globally operating businesses with billions of dollars of revenue.

Caspar made it clear that he understands the uncertainties that companies concerned with the transfer of EU data to the US are facing at the moment. At the same time, it is also quite clear to us that the struggle is not likely to end with the new EU-US Privacy Shield.

For more information on recent developments relating to the EU-US Privacy Shield, please see our post on the European Commission’s publication of the EU-US Privacy Shield documentation.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.