This article is more than 1 year old

German watchdog tells firms to do own US privacy checks

Don't just trust Safe Harbor scheme

German privacy watchdogs have told companies to conduct their own checks of US companies' conduct before passing personal data to them, even if they are signed up to the EU-US 'Safe Harbor' data protection scheme.

The Düsseldorfer Kreis is an informal group of Germany's private sector data protection watchdogs. It has said that companies must not simply take US companies' word on their compliance with EU privacy principles if they plan to send personal data to them. They must make their own checks, the group said.

European Union laws on privacy are amongst the world's strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.

There are several mechanisms for ensuring this protection. One is that the whole country will be deemed to have 'adequate' data protection, because its laws are at least as stringent as the EU's. Very few countries achieve this rating.

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

Another mechanism which only US companies can use is the Safe Harbor agreement. Under this, companies comply with similar privacy standards to those enforced in the EU and register with US consumer protection regulator the Federal Trade Commission (FTC).

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms.

"At the very least the exporting company must clarify when the Safe Harbor certification of the US company was issued," said the Düsseldorfer Kreis, according to an automated translation. "Any certification older than seven years old is not valid."

The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

The regulators' decision underlines doubts about the Safe Harbor programme. A report in 2008 by management consultants Galexia found that the scheme fell short of its aims.

"Only 348 organisations [out of 1,109] meet even the most basic requirements of the Safe Harbor Framework," said that report. "Many organisations did not have a public privacy policy, or the policy failed to even mention the Safe Harbor. A large number of organisations failed to comply with Principle 7 – Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.

"206 organisations claim on their public websites to be members of the Safe Harbor when they are not current members. Many of these false claims have continued for several years," said the study, which examined compliance with just one of the scheme's seven Safe Harbor Framework Principles.

"It is unlikely that many of these 348 organisations would be considered compliant with the more detailed requirements of the other six Safe Harbor Framework Principles. For example, some organisations’ privacy policies are only two sentences long," it said.

The study was not the first to find problems in the implementation of the Safe Harbor programme. "Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers," it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

"In reality you still have to make sure the company meets the standards of the Data Protection Act, including that appropriate organisational and security measures are in place, so if you are appointing a processor make sure they have that security in place and do due diligence on them," she said.

"I think you always need to do some due diligence on someone you are transferring personal data to, regardless of the mechanism used to do it," said Townsend. "You should be thinking about who you are giving this information to and what they are going to do with it."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

More about

TIP US OFF

Send us news


Other stories you might like