Data Protection Report - Norton Rose Fulbright

Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a common practice for major international, as well as small and medium sized companies, without, as the authorities say, adequate attention being paid to the unique data privacy issues raised by cloud computing and software as a service (SaaS).

According to the press release, cross-border processing and the export of personal information has seen an increase in recent years, in particular as part of cloud and SaaS applications. The DPAs claim that companies often are not aware of the extent of data usage that takes place when using cloud and SaaS services, and that personal information is regularly being transferred to countries outside the European Union (EU). Further, the DPAs claim that many companies are not fully aware of the legal implications of cross-border data exports, in particular regarding applicable data privacy laws.

Our Take

According to the Berlin DPA’s press release, a total of 500 companies will randomly be selected by the 10 cooperating authorities. Also, the participating authorities emphasized that companies of different sizes and industry sectors are to receive the questionnaire. Depending on the answers received, the authorities may conduct more thorough assessments of cross-border data usage. Presumably, enforcement action may result and monetary penalties may be sought.

This new campaign further illustrates the need for companies to assess the compliance of data exports and processing in countries outside of the European Economic Area.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.