The Chaos After PRISM

    View Author September 2013

    Are Transfers of Personal Data to the United States Safe?

    Many Czech entities regularly transfer personal data to the United States. These companies are often either those with a US parent company or Czech companies using US servers (e.g. using US cloud services). Except for the EU countries, it is the US where the most of the personal data transferred from the Czech Republic end up.

    The European Commission has never acknowledged the United States as a country with comparable level of personal data protection as in the EU. Therefore, most transfers are based on incorporation of the EU model clauses issued by the European Commission into the agreement between the Czech data controller and the US recipient or a public undertaking by the US recipient to observe the so-called “Safe Harbor” principles and its registration with the relevant US authorities.

    The Safe Harbor concept is a result of a compromise treaty between the US and EU entered into for the purpose of facilitating trade between both sides of the Atlantic, while respecting the “cultural specifics” in relation to protection of personal data and privacy in general.

    Safe Harbor at Risk

    However, the situation has been recently complicated by the scandal regarding the US “secret” monitoring program PRISM. Information that the United States monitors on a large scale private communication of foreign (thus also EU) citizens, has raised a significant furor in the EU. Discussions on the necessity to re-evaluate the rules for personal data transfers to the US occurred immediately. The treatment under the Safe Harbor, in particular, has become a thorny subject. The European Parliament has demanded that the European Commission reviews the guarantees given by this program, as it has been shown that some companies involved in PRISM have been registered within the Safe Harbor.

    However, no one wants to come up with hasty conclusions – whether we are talking about national regulators and or the European Commissioner Viviane Reding, who introduced the whole concept of the new EU data protection regulation in 2012. The trade with the US (and the related necessary data sharing) is of a crucial significance for the EU and its decrease would damage both parties.

    The Czech Office for Personal Data Protection has also been dealing with this issue intensively. In mid-June, it expressed on its website its “concerns” regarding the levels of information revealed on the PRISM program; however, to date, it still has not published any specific instructs or recommendations with respect to the data transfers to the US.

    Cautious Germany

    By contrast, Germany has adopted a stricter position, which other countries may possibly follow. In July of this year, the Conference of German Commissioners for Protection of Personal Data issued a press release, according to which the German commissioners intend not to issue any further approvals for transfers of personal data to the US. They are also to examine whether or not to cease even the transfers carried out within the Safe Harbor program and the EU model clauses. Their concerns are that, considering the existence of the PRISM program, US companies are not able to guarantee a reasonable level of data protection. The German data protection authorities have previously doubted the security of the Safe Harbor treatment, demanding that German data controllers transferring the data to US companies based on registration of such companies within the Safe Harbor, should verify whether the data recipients actually follow the Safe Harbor principles.

    According to the commissioners of the individual states in Germany, a majority of the authorities intend to examine existing personal data transfers to the US as well as new applications, and, where necessary, block the new and/or the already commenced data transfers. It is possible that a more lenient attitude may be applied with respect to personal data transfers within corporate holdings, reflecting the presumption that German administrators transferring data to their affiliates in the US are sufficiently aware of the methods of processing of the personal data by the US recipients and that they have a certain level of control over such processing.

    Although the German authorities’ approach is not directly applicable in the Czech Republic, it can be taken as a guideline for what approach might be expected from the other European regulators including the Czech one.

    Therefore, if you are just a few “clicks” from transferring personal data to your US partner, consider whether to apply for the position of the Office for Personal Data Protection regarding the intended transfer. The Office’s position might differ depending on the type of the personal data, the purpose of its processing and transfer as well as on the nature of the recipient. Although such position will not be legally binding, it might help you in the event of investigation of your data processing.

    *This article was first published in Euro magazine on September 3, 2013