Feeds

German watchdog tells firms to do own US privacy checks

Don't just trust Safe Harbor scheme

Secure remote control for conventional and virtual desktops

German privacy watchdogs have told companies to conduct their own checks of US companies' conduct before passing personal data to them, even if they are signed up to the EU-US 'Safe Harbor' data protection scheme.

The Düsseldorfer Kreis is an informal group of Germany's private sector data protection watchdogs. It has said that companies must not simply take US companies' word on their compliance with EU privacy principles if they plan to send personal data to them. They must make their own checks, the group said.

European Union laws on privacy are amongst the world's strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.

There are several mechanisms for ensuring this protection. One is that the whole country will be deemed to have 'adequate' data protection, because its laws are at least as stringent as the EU's. Very few countries achieve this rating.

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

Another mechanism which only US companies can use is the Safe Harbor agreement. Under this, companies comply with similar privacy standards to those enforced in the EU and register with US consumer protection regulator the Federal Trade Commission (FTC).

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms.

"At the very least the exporting company must clarify when the Safe Harbor certification of the US company was issued," said the Düsseldorfer Kreis, according to an automated translation. "Any certification older than seven years old is not valid."

The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

The regulators' decision underlines doubts about the Safe Harbor programme. A report in 2008 by management consultants Galexia found that the scheme fell short of its aims.

"Only 348 organisations [out of 1,109] meet even the most basic requirements of the Safe Harbor Framework," said that report. "Many organisations did not have a public privacy policy, or the policy failed to even mention the Safe Harbor. A large number of organisations failed to comply with Principle 7 – Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.

"206 organisations claim on their public websites to be members of the Safe Harbor when they are not current members. Many of these false claims have continued for several years," said the study, which examined compliance with just one of the scheme's seven Safe Harbor Framework Principles.

"It is unlikely that many of these 348 organisations would be considered compliant with the more detailed requirements of the other six Safe Harbor Framework Principles. For example, some organisations’ privacy policies are only two sentences long," it said.

The study was not the first to find problems in the implementation of the Safe Harbor programme. "Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers," it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

"In reality you still have to make sure the company meets the standards of the Data Protection Act, including that appropriate organisational and security measures are in place, so if you are appointing a processor make sure they have that security in place and do due diligence on them," she said.

"I think you always need to do some due diligence on someone you are transferring personal data to, regardless of the mechanism used to do it," said Townsend. "You should be thinking about who you are giving this information to and what they are going to do with it."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
BBC: We're going to slip CODING into kids' TV
Pureed-carrot-in-ice cream C++ surprise
Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
If there are any on our site it is not our fault as we are not a PUBLISHER
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.