Privacy & Information Security Law Blog

On July 24, 2013, the Conference of the German Data Protection Commissioners at both the Federal and State levels issued a press release stating that surveillance activities by foreign intelligence and security agencies threaten international data traffic between Germany and countries outside the EEA.

Summary

In the press release, the Commissioners describe the supervisory authorities’ existing powers with respect to international data transfers (as granted by the Federal Data Protection Act and the European Data Protection Directive), and detail concerns regarding reports about comprehensive surveillance activities by foreign intelligence agencies, in particular the U.S. National Security Agency (“NSA”). In light of recent developments, the German Commissioners have decided:

• to stop issuing approvals for international data transfers until the German government demonstrates that unlimited access to German citizens’ personal data by foreign national intelligence services comports with the fundamental principles of data protection law (i.e., necessity, proportionality and purpose limitation); and
• to review whether to suspend data transfers carried out pursuant to the Safe Harbor Agreement and EU standard contractual clauses.

Background

The European Commission has issued several decisions establishing requirements intended to ensure adequate protection of EU personal data transferred to the United States or other foreign countries: “Safe Harbor” principles to allow for data transfers to the United States (2000), and EU Standard Contractual Clauses for the transfer of data to other third countries (2004 and 2010).

The press release states that the European Commission has always stressed that national supervisory authorities may suspend data transfers if there is a “high probability” that the Safe Harbor principles or standard contractual clauses are being violated. According to the German Commissioners, there is a high probability that the principles are being violated because personal data transferred by German companies to foreign countries may be accessed by the NSA (and other foreign intelligence services) without complying with the principles of necessity, proportionality and purpose limitation.

The press release also discusses the provision in the Safe Harbor agreement that limits the validity of the Safe Harbor principles as required by national security or law. The German Commissioners assert that these exceptions should be applied narrowly and used only as necessary, arguing that a democratic society cannot cite national security considerations as a means to justify comprehensive access to personal data without cause.

Current Concerns 

The Commissioners also point out that even when standard contractual clauses are used to transfer data to the U.S., the data importer must represent that (to his knowledge) there are no laws in his country that materially affect the guarantees in the EU standard contractual clauses. However, the Commissioners contend that there must be some type of general authorization to violate these guarantees in the U.S. if the NSA routinely accesses personal data transferred to the U.S. under EU standard contractual clauses.

Accordingly, the Conference of Commissioners is calling on the German government to demonstrate how unrestricted access to German personal data by foreign intelligence services can be limited so as to comply with EU data protection principles. Until they are satisfied that this has been proven, the German supervisory authorities will not issue any new approvals for international data transfers (including, for example, approvals requested by companies seeking to use certain cloud services). The authorities also will consider whether they should stop allowing international data transfers based on the Safe Harbor Agreement or EU standard contractual clauses.

In addition, citing excessive surveillance activities by foreign intelligence agencies, the German Conference of Data Protection Commissioners has suggested that the European Commission should issue an indefinite suspension of its decisions concerning Safe Harbor and EU standard contractual clauses.