Out-Law / Your Daily Need-To-Know

Cross-border data transfers under scrutiny in Germany

Out-Law News | 04 Nov 2016 | 2:41 pm | 2 min. read

Approximately 500 businesses operating in Germany can expect to have their data transfer arrangements scrutinised in a new coordinated exercise being conducted by privacy watchdogs over the next week.

The Berlin data protection commissioner Maja Smoltczyk, together with nine other data protection authorities in Germany, including those in Hamburg and Bremen, will select businesses of different sizes and from across different sectors to audit. The review will focus on arrangements the businesses have in place for transferring personal data outside of the European Economic Area (EEA).

In a statement announcing the action Smoltczyk said businesses operating in Germany need to be aware that "special data protection requirements apply" when they want to transfer personal data overseas. She said the aim of the coordinated audit is to "increase the sensitivity of the companies" to those requirements and that in-depth investigations could be carried out by the authorities depending on the audit findings

Munich-based data protection expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said businesses operating in multiple jurisdictions in Europe need to be aware of the particular restrictions German law places on data transfers.

"This coordinated action shows that at least some of Germany's data protection authorities believe there is a potential issue with compliance with data transfer rules," Wolgast said. "In Germany the rules on data transfers are stiffer than in other places in Europe, so businesses that have set up data transfer arrangements that may accord with, say, UK law, might not necessarily be compliant with German law. Many businesses, particularly those based outside the EEA, are unaware that differences exist in this respect."

"In Germany businesses need to have a legal ground for transferring personal data outside the EEA and, on the side of data subjects' interests or rights, there must not be a reason that outweighs any legitimate reason businesses have for doing so. Businesses can expect the requirements to be interpreted strictly. The restrictions on transferring sensitive personal data overseas are even tighter and may prevent businesses from transferring human resources and payroll data, for example, to third countries at all," she said.

Wolgast said that one driver for the watchdogs' coordinated action might be the fact that there has been significant change and uncertainty on data transfer issues in recent times. In particular she pointed to the fact that the EU's highest court effectively invalidated the EU-US Safe Harbour scheme in October 2015 after identifying shortcomings with the extent to which US authorities might be able to access EU citizens' data when transferred across the Atlantic and with privacy safeguards in place under the scheme.

Since the ruling by the Court of Justice of the EU (CJEU), other mechanisms enabling data transfers, notably European Commission-endorsed model contract clauses and binding corporate rules, have also come in for scrutiny by privacy campaigners and data protection authorities in Europe. A legal challenge raised in Ireland threatens the future viability of model clauses as a tool for facilitating data transfers outside of the EEA, while separate legal challenges have also been lodged against the EU-US Privacy Shield, a data transfer framework established earlier this year to replace the Safe Harbour regime.