The official announcement came in early October- the harbor master, in this case the European Court of Justice, declared the Safe Harbor Agreement between the U.S. and Europe invalid, initiating a dam on the flow of data from Europe to the USA. As a result of this decision, the transfer of European citizen’s data to the U.S. is no longer valid. The decision has much more extensive ramifications than may appear at first glance, as it affects not only data transfer to highly specialized service providers but more generally any transfer of personal data to U.S. companies. This affects a wide scope of web-based services ranging from web servers, cloud services such as Office 365, Dropbox and various Google offers, up to social media plug-ins on websites.
As a result, this means that initially any transatlantic transfer of data, which was previously legal under the “Safe Harbor” agreement, is now inadmissible and in strictly legal terms may be punishable with a fine of up to 300,000 EUR. Nevertheless, the legal status of such transactions has not been completely defined yet and it remains to be seen how national data protection authorities will ratify it. While these authorities issued a common statement in late October (English-language PDF), in which they prohibit data transfers exclusively based on the Safe Harbor agreement, they do not offer precise solutions to the problem. It therefore remains to be seen whether and which application options will be considered admissible by the authorities.
In addition, the Article 29 Working Party, the independent advisory body of the EU on data protection, issued a statement on October 16, 2015 in which it recommends that the national data protection authorities not carry out controls of inadmissible data transfers based on the Safe Harbor ruling until the end of January 2016, which thus constitutes an ultimatum for the implementation of the data protection requirements of the European Court of Justice. However, this recommendation does not apply to cases in which concerned individuals complain to the national data protection authorities about a corporation. With such a constellation, the authorities have to investigate into the complaint. While the statements and recommendations of the Article 29 Working Party are not binding, based on this it can be presumed that the German local data protection authorities will not carry out controls regarding this matter until the end of the specified period.
However, to keep the risk of being fined as limited as possible, you should observe the following action recommendations:
- When transferring data to the USA, wherever possible obtain the permission of the concerned individuals for the data processing and store it.
- Wherever possible, choose service providers that process data in the EU and offer agreements for commissioned data processing in line with section 11 of Bundesdatenschutzgesetz (Federal Data Protection Act – BDSG). These do not have to be European service providers, but also American that offer such agreements and process the data in the EU region. However, we should all keep a close eye on how the legal status of the right of access by US authorities to data stored by US companies within the EU will evolve in the future.