PRISM and US-EU Trade Effects: German Data Protection Authorities Consider Stopping Data Transfers to the US

    View Author August 2013

    In an official press release issued on 24 July 2013, the German Conference of Data Protection Commissioners of the Federation and the States (Conference) stated that the German Data Protection Authorities will no longer issue any new permissions for data transfers to the US and will examine whether such data transfers should be suspended on the basis of the US-EU Safe Harbor framework and the EU Model Clauses in response to recent reports of extensive access to EU personal data by the US National Security Agency (NSA) in relation to its PRISM program.

    Bilateral agreement to the terms of the EU Model Clauses or the US data importer's self-certification to the US-EU Safe Harbor Principles generally allows the transfer of personal data from Germany to the US under German privacy law in line with the EU Data Protection Directive. However, the Conference now argues that recipients in the US may no longer be able to guarantee an adequate level of data protection given the revelations about the PRISM program. Does this mean that there are now legal restrictions in place in Germany regarding the transfer of personal data to the US?

    The official statement of the Conference is purposely vague in this regard. Furthermore, there seems to be some disagreement among the State Data Protection Authorities as to the exact scope of their rights and obligations under German and EU law. Based on queries posed to the Authorities, each of which is responsible for data protection enforcement in their respective state, their current positions can be summarized as follows:

    • Some of the German State Authorities reportedly plan to make use of their existing rights to examine and even block individual (existing or new) transfers of personal data to the US – regardless of whether or not the relevant transfer is generally covered by a Safe Harbor registration and proven adherence to these principles, or by the use of EU Model Clauses. This appears to be an extension of the increased scrutiny applied under previously announced guidance. The assessment, however, will not consider whether there is a "substantial likelihood" that the data recipients will not be able to effectively adhere to the Safe Harbor Principles or the provisions of the EU Model Clauses as a result of potential NSA access. The Authorities adhering to this view are those responsible for North Rhine-Westphalia (with jurisdiction over companies located in Cologne, Düsseldorf, Dortmund and Essen) and Berlin.
    • According to reports, Bavaria (with jurisdiction over companies located in Munich) was the only participant of the Conference not supporting the common position and – based on the information that is currently available regarding PRISM – does not, for the time being, plan to examine existing or new transfers under Safe Harbor or the EU Model Clauses.
    • Hesse (with jurisdiction over companies located in Frankfurt) may examine new data transfers but is not planning to examine or block existing transfers.
    • For now, intra-group data transfers seem to be of limited concern for most German Data Protection Authorities as they appear to have confidence that a German entity transferring data to an affiliated entity in the US has sufficient knowledge of and influence over the data importer's processing activities.
    • The (future) sourcing of cloud services by German companies and individuals from external US service providers appears to be a major concern in light of PRISM.

    Whether the Conference announcement will result in major changes in practice is likely to depend on further developments involving PRISM and in the ongoing trade talks between the US and the EU, which feature data protection as a major trade issue. The German Data Protection Authorities may now begin to monitor and control transfers of personal data to US companies more thoroughly than they have done in the past. With regard to administrative and even punitive sanctions for violations of the German data protection laws, companies involved in the export or import of personal data relating to German residents to the US are advised to ensure that they are fully familiar with their obligations under the Safe Harbor Principles and/or the EU Model Clauses, and they should carefully monitor legal and trade developments in Germany and the EU more broadly.

    The Conference's press release is available to read online.