Data Transfers and the EU

The last couple of months have seen a number of challenges for U.S. corporations doing business in Europe, particularly those that rely on the Safe Harbor scheme to legalize the transfer of customer or employee data to the U.S. As some European regulators flex their muscles, the challenges for U.S. corporations doing business in Europe are likely to increase.

The Issue

European data protection law has a number of options for any organization wishing to export personal data from Europe to the U.S. Traditionally the most popular was through a Data Transfer Agreement (DTA), but as the form of acceptable DTA changed in Europe and the complexities of registering those DTAs with regulators in Europe increased, many corporations have turned to the Safe Harbor scheme instead.

What Is Safe Harbor?

The Safe Harbor scheme was agreed upon between the U.S. and the European Commission in 2000 as an alternative to putting DTAs in place. It allows U.S. corporations to self-certify with the U.S. Department of Commerce to standards similar to those of European privacy law. In recent years, however, Safe Harbor has encountered considerable opposition, including a report prepared by the Australian consultancy Galexia in December 2008. That report called on U.S. and European Union authorities to increase policing of the program. The main objection was that a number of organizations professing to be registered under Safe Harbor were actually not registered. Galexia said that 1,597 corporations had self-certified, but only 348 met the basic requirements of the program. While it appears that some within the U.S. Department of Commerce questioned some of Galexia's findings, the report highlighted concerns about the framework.

The German Response

At a meeting in Hannover at the end of April, a group of German privacy regulators, known as the Dsseldorfer Kreis, expressed doubts about the Safe Harbor scheme. Germany operates a regional system of data privacy regulation where each of the 16 L'nder (or states) appoints its own regulator for the private sector. Those regulators try to adopt a common stance on issues affecting Germany through an informal organization, which is the Dsseldorfer Kreis. The decision says that because of the doubts over the operation of the Safe Harbor scheme, corporations can no longer take Safe Harbor self-certification as conclusive proof of adequate protection of personal data. In particular, they say that Safe Harbor certifications more than seven years old should not be treated as valid. This last point appears to warrant clarification by local regulators since, in practice, Safe Harbor requires recertification every year. In addition, Dsseldorfer Kreis called on the Federal Trade Commission (“FTC”) to step up its Safe Harbor enforcement program.

Following the Dsseldorfer Kreis decision, Dr. Thilo Weichert, the data protection regulator for the German Land of Schleswig-Holstein, said on July 23, 2010 that he thinks Safe Harbor should be reviewed with a view toward the European Commission's approval of the deal with the U.S. being revoked. There is some precedent for this, as previous deals with the U.S. over air travel and bank information have been overturned. Dr. Weichert's statement made specific reference to the Galexia report, and said that Galexia was about to publish new findings that would again convey misgivings about the Safe Harbor scheme and its enforcement. He said that the FTC receives more than 2,000 complaints each year stating that corporations are not in compliance with Safe Harbor, but it has only taken enforcement action against seven corporations in the scheme's 10-year history.

What This Means for U.S. Corporations

Dr. Weichert's announcement and the earlier Dsseldorfer Kreis decision indicate that U.S. corporations will want to examine carefully any data that they hold on people in Germany. That examination will extend not only to their own operations, but also to the data handling operations of other corporations they do business with. For example, many U.S. corporations use third parties to handle data in connection with global HR systems, ethics policies, Sarbanes-Oxley whistleblower helplines, customer relationship management programs, social media operations and sales reporting systems. All of those operations are likely to contain personal data ' and the system for collecting and transferring that data will need to comply with local law.

While the law in Europe is granular and each of the 27 EU member states will form its own conclusions on the adequacy of Safe Harbor, the problem is likely to spread beyond Germany. Given that the penalties for breach of data protection legislation are also on the increase across Europe, this is an area that deserves attention.

Jonathan P. Armstrong ([email protected]) is partner in the London office of Duane Morris LLP. A member of this newsletter's Board of Editors, Armstrong practices in the area of corporate law with a concentration in technology and compliance, counseling multinational companies on matters involving risk, technology and compliance across Europe. The author gratefully acknowledges the assistance of his colleague Eberhard Rohm in the preparation of this article.

The last couple of months have seen a number of challenges for U.S. corporations doing business in Europe, particularly those that rely on the Safe Harbor scheme to legalize the transfer of customer or employee data to the U.S. As some European regulators flex their muscles, the challenges for U.S. corporations doing business in Europe are likely to increase.

The Issue

European data protection law has a number of options for any organization wishing to export personal data from Europe to the U.S. Traditionally the most popular was through a Data Transfer Agreement (DTA), but as the form of acceptable DTA changed in Europe and the complexities of registering those DTAs with regulators in Europe increased, many corporations have turned to the Safe Harbor scheme instead.

What Is Safe Harbor?

The Safe Harbor scheme was agreed upon between the U.S. and the European Commission in 2000 as an alternative to putting DTAs in place. It allows U.S. corporations to self-certify with the U.S. Department of Commerce to standards similar to those of European privacy law. In recent years, however, Safe Harbor has encountered considerable opposition, including a report prepared by the Australian consultancy Galexia in December 2008. That report called on U.S. and European Union authorities to increase policing of the program. The main objection was that a number of organizations professing to be registered under Safe Harbor were actually not registered. Galexia said that 1,597 corporations had self-certified, but only 348 met the basic requirements of the program. While it appears that some within the U.S. Department of Commerce questioned some of Galexia's findings, the report highlighted concerns about the framework.

The German Response

At a meeting in Hannover at the end of April, a group of German privacy regulators, known as the Dsseldorfer Kreis, expressed doubts about the Safe Harbor scheme. Germany operates a regional system of data privacy regulation where each of the 16 L'nder (or states) appoints its own regulator for the private sector. Those regulators try to adopt a common stance on issues affecting Germany through an informal organization, which is the Dsseldorfer Kreis. The decision says that because of the doubts over the operation of the Safe Harbor scheme, corporations can no longer take Safe Harbor self-certification as conclusive proof of adequate protection of personal data. In particular, they say that Safe Harbor certifications more than seven years old should not be treated as valid. This last point appears to warrant clarification by local regulators since, in practice, Safe Harbor requires recertification every year. In addition, Dsseldorfer Kreis called on the Federal Trade Commission (“FTC”) to step up its Safe Harbor enforcement program.

Following the Dsseldorfer Kreis decision, Dr. Thilo Weichert, the data protection regulator for the German Land of Schleswig-Holstein, said on July 23, 2010 that he thinks Safe Harbor should be reviewed with a view toward the European Commission's approval of the deal with the U.S. being revoked. There is some precedent for this, as previous deals with the U.S. over air travel and bank information have been overturned. Dr. Weichert's statement made specific reference to the Galexia report, and said that Galexia was about to publish new findings that would again convey misgivings about the Safe Harbor scheme and its enforcement. He said that the FTC receives more than 2,000 complaints each year stating that corporations are not in compliance with Safe Harbor, but it has only taken enforcement action against seven corporations in the scheme's 10-year history.

What This Means for U.S. Corporations

Dr. Weichert's announcement and the earlier Dsseldorfer Kreis decision indicate that U.S. corporations will want to examine carefully any data that they hold on people in Germany. That examination will extend not only to their own operations, but also to the data handling operations of other corporations they do business with. For example, many U.S. corporations use third parties to handle data in connection with global HR systems, ethics policies, Sarbanes-Oxley whistleblower helplines, customer relationship management programs, social media operations and sales reporting systems. All of those operations are likely to contain personal data ' and the system for collecting and transferring that data will need to comply with local law.

While the law in Europe is granular and each of the 27 EU member states will form its own conclusions on the adequacy of Safe Harbor, the problem is likely to spread beyond Germany. Given that the penalties for breach of data protection legislation are also on the increase across Europe, this is an area that deserves attention.

Jonathan P. Armstrong ([email protected]) is partner in the London office of Duane Morris LLP. A member of this newsletter's Board of Editors, Armstrong practices in the area of corporate law with a concentration in technology and compliance, counseling multinational companies on matters involving risk, technology and compliance across Europe. The author gratefully acknowledges the assistance of his colleague Eberhard Rohm in the preparation of this article.