German watchdog tells firms to do own US privacy checks
Don't just trust Safe Harbor scheme
German privacy watchdogs have told companies to conduct their own checks of US companies' conduct before passing personal data to them, even if they are signed up to the EU-US 'Safe Harbor' data protection scheme.
The Düsseldorfer Kreis is an informal group of Germany's private sector data protection watchdogs. It has said that companies must not simply take US companies' word on their compliance with EU privacy principles if they plan to send personal data to them. They must make their own checks, the group said.
European Union laws on privacy are amongst the world's strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.
There are several mechanisms for ensuring this protection. One is that the whole country will be deemed to have 'adequate' data protection, because its laws are at least as stringent as the EU's. Very few countries achieve this rating.
Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.
Another mechanism which only US companies can use is the Safe Harbor agreement. Under this, companies comply with similar privacy standards to those enforced in the EU and register with US consumer protection regulator the Federal Trade Commission (FTC).
The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms.
"At the very least the exporting company must clarify when the Safe Harbor certification of the US company was issued," said the Düsseldorfer Kreis, according to an automated translation. "Any certification older than seven years old is not valid."
The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.
The regulators' decision underlines doubts about the Safe Harbor programme. A report in 2008 by management consultants Galexia found that the scheme fell short of its aims.
"206 organisations claim on their public websites to be members of the Safe Harbor when they are not current members. Many of these false claims have continued for several years," said the study, which examined compliance with just one of the scheme's seven Safe Harbor Framework Principles.
"It is unlikely that many of these 348 organisations would be considered compliant with the more detailed requirements of the other six Safe Harbor Framework Principles. For example, some organisations’ privacy policies are only two sentences long," it said.
The study was not the first to find problems in the implementation of the Safe Harbor programme. "Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers," it said.
Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.
"In reality you still have to make sure the company meets the standards of the Data Protection Act, including that appropriate organisational and security measures are in place, so if you are appointing a processor make sure they have that security in place and do due diligence on them," she said.
"I think you always need to do some due diligence on someone you are transferring personal data to, regardless of the mechanism used to do it," said Townsend. "You should be thinking about who you are giving this information to and what they are going to do with it."
Copyright © 2010, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
Have the tee-shirt
Yep. An Insurance Broker that I worked for previously shipped its personnel database to the USA, it didn't claim safe harbour or even have it (I checked). I actually complained to the ICO, and was told by someone on the other end of the phone that it wasn't my problem and to "go away".
Sometimes we really need Europe to pounce on these offenders.
No pithy comment because I'm not in a pithy mood.
@"companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU."
What like data protected as well as in the UK!
I don't know if I should laugh or cry!
"We will not give your data to any other individual or legal entity for any reason. Ever."
I think that would work rather well, eh?
A lot more needed
What about the contract information of all the clients of the European subsidiaries of the US company I work for? The contracts database is in the US.
European CFO: "I can't sign up any more contracts until you have demonstrated your compliance."
Merkin CFO: "Did I mishear or did you just quit?"
European CFO: "Never mind!"
Bad Gates as no Bad Uncle Sam icon.
all very well
Until you are given a court order, or asked by the inland revenue to prove you don't owe them several million in tax. Or hire a contractor, you know that temp who types up your customer letters for you, that works for another company?