Germany to audit 500 companies
The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India). The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden – has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.
The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.
Beware Cloud and SaaS
Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.
Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.
What happens next?
The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.
If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses. But planning now is key.
Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany