The European Commission should suspend agreements that allow European companies to transfer personal data of European citizens to the U.S., the German Conference of Data Protection Commissioners has urged.
The Commission, meanwhile, is working on an assessment of the agreements that it will present before the end of the year.
Due to the mass surveillance of communications by the U.S. National Security Agency (NSA), U.S. companies can no longer fulfill European requirements for the exchange of personal data, said Germany’s Conference of Data Protection Commissioners in a joint letter sent to German chancellor Angela Merkel that was published on Wednesday. The conference consists of the federal data protection commissioner and the data protection commissioners of the German states.
The U.S. is not up to E.U. standards
The European Commission’s data protection directive prohibits the transfer of personal data to non-E.U. countries that do not meet E.U. standards for privacy protection. To allow exchange of personal data with U.S. organizations, the U.S. Department of Commerce and the European Commission developed a “Safe Harbor” framework, allowing E.U. companies to keep exchanging personal information within the bounds of the agreement.
Under the Safe Harbor conditions companies, for example, must show that they prevent penetration of their networks, Imke Sommer, the Bremen Commissioner for Data Protection and Freedom of Information said on Thursday. She added, however, that, “As we know by now there is no safe network, the NSA is watching.”
Therefore, the German data protection authorities have asked the Commission to suspend the Safe Harbor agreements and review whether U.S. companies can still comply with them, she said. If the agreements are suspended, that would mean that no European company would be allowed to send personal data to the U.S., Sommer said.
“The Safe Harbor agreement may not be so safe after all,” said Viviane Reding, vice president of the European Commission and the commissioner responsible for justice, fundamental rights and citizenship at the informal Justice Council in Vilnius last Friday. “U.S. data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.”
Germany leading the charge
The European Parliament and European industry have also been asking for a review, and the Commission will take note of the call from data protection and privacy advocates in Germany for an assessment, a Commission official said on Thursday.
Because German authorities have deemed the Safe Harbor principles violated, they have also urged companies in the country to stop the exchange of personal data with the U.S., Sommer said. If the companies are unable to prove that the data of German citizens sent to the U.S. is safe, the authorities can order them to stop sending data to the U.S., she said.
“All European data protection authorities can start doing this,” Sommer added.
However, not all data protection authorities agree with the German authorities.
The Irish Office of the Data Protection Commissioner (ODPC) said on Tuesday that the exchange of personal data of Irish subsidiaries of Facebook and Apple with the U.S. is in line with Safe Harbor principles, according to documents published by the Austrian student group Europe-v-Facebook on Thursday.
In late June, student group Europe-v-Facebook filed a barrage of complaints against European subsidiaries of major technology companies, claiming their data collection runs afoul of European privacy laws. The complaints were filed in Ireland against Facebook and Apple, in Luxembourg against Skype and Microsoft, and in Germany against Yahoo.
The group said that companies such as Facebook Ireland should not be allowed to export Europeans’ data to the U.S. if the data is then forwarded to the NSA for massive surveillance of personal information without probable cause, the group said in a news release.
The complaints were filed after former NSA contractor Edward Snowden leaked documents revealing NSA surveillance programs.
In a formal response to Europe-v-Facebook, however, Irish data protection authorities said that they see no breach of safe harbor protections.
“We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is ‘Safe Harbor’ registered,” wrote Ciara O’Sullivan, senior compliance officer of the Irish ODPC.
“I can advise that we do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that ‘Safe Harbor’ requirements have been met and on that basis we cannot identify that a contravention of the Acts has taken place,” she added in a follow-up emailto the group on Wednesday.
“The Germans see a major breach of fundamental rights, while the Irish do not even see a reason for an investigation,” said Max Schrems, a spokesman for Europe-v-Facebook. “We are very confident that the decision in Germany will be more substantial and very different than in Ireland.”
On Thursday, a broad coalition of mainly German civil rights organizations published a list of 12 demands directed at policy makers in reaction to the NSA surveillance program.
The open letter was signed by groups including the German digital rights group Digitale Gesellschaft, Greenpeace Germany, the German Journalist Association, the Electronic Frontier Foundation and the Chaos Computer Club.
The groups called on governments, national parliaments and European institutions for a consistent implementation and defense of the fundamental rights to privacy and data protection. They also want an obligation to individually notify affected persons after every act of digital surveillance or inspection and called for the disclosure of every agreement, law and action that has an adverse effect on the right to informational self determination.