International E-news - May 2010
- Exports from Germany of personal data under the United States Safe Harbor now face obstacles from the regulators
- DPAs suspect that Google’s wireless data collection and retention practices in breach of DP law
- Facebook replies to critics
1. Exports from Germany of personal data under the United States Safe Harbor now face obstacles from the regulators
Transfers of German data to the USA under the Safe Harbor regime now face difficulties. In a decision of 28/29 April 2010, the German data protection Land (state) authorities for the private sector (so called “Düsseldorfer Kreis”) require German data controllers to perform a number of basic checks before transferring personal data to a US company which claims Safe Harbor certification.
As a minimum, data controllers must check (i) when the US company self-certified and (ii) how the US company notifies data subjects of its data processing activities. They must then document this check and provide evidence about it to the relevant data protection authority on request.
Where there is any doubt over the US company's compliance with Safe Harbor, data exporters are recommended to use the EU model clauses or Binding Corporate Rules and inform their Land (state) authority about their doubts.
The decision is a (late) reaction to the Galexia report "The US Safe Harbor / Fact or Fiction?" of 12 December 2008 (PL&B International Newsletter December 2008 p.1 and June 2009 p.18) which raised concerns that many aspects of the Safe Harbor framework were not working. It is supposed to apply as long as comprehensive controls of US companies’ self-certification under Safe Harbor are not guaranteed either by European or US authorities.
Following this decision, there is now a risk for German data exporters relying solely on the apparent Safe Harbor certification of a US data importer. As the German authorities appear to prefer the use of EU model clauses or BCRs, they may take more interest in organisations which export personal data based on Safe Harbor.
Going forward, the decision creates legal uncertainty for data exporters over when a minimum check is sufficient and when a more comprehensive check would be required.
The decision sets a trend towards greater questioning of the value of a Safe Harbor certification in Germany and casts doubt on the popularity of this regime in the future.
By Dr Vera Jungkind, German Qualified Lawyer (Rechtsanwalt). Senior Associate, Hengeler Mueller, Düsseldorf , seconded to Bristows, London. E-mail: Vera.Jungkind@Bristows.com
Briefing and Roundtable, Frankfurt, Germany, 1st and 2nd June, 2010
International transfers of personal data from Germany will be covered in detail at the Briefing and Roundtable in Frankfurt, Germany on 1st and 2nd June. There will be presentations by both specialist lawyers and the Land authorities from Berlin and Hessen, respectively the chair and a member of the Düsseldorfer Kreis’s sub-group on transborder data flows. See the full programme.
Already subject to criminal investigation in Germany over capture of data from open Wi-Fi networks for Street View, Google has now received requests from several DPAs to explain its policy. According to the Guardian, the German data protection authorities demand access to one of the hard drives used to gather data, and have announced that Google has until 26 May to do so.
Google said in a statement: "Following requests from the Irish, Danish and Austrian data protection authorities we can confirm that we have deleted payload data identified as coming from those countries. We can also confirm that, as requested, we are keeping data from Belgium, France, Italy, Spain, Germany, Switzerland and the Czech Republic.
"Given that there is some uncertainty about deletion generally – for example, one data protection authority changed its instruction from delete to retain in the last 24 hours – we think it makes sense to keep the remaining country data while we work through these issues."
IAPP reports that ‘data protection officials in Spain, the Czech Republic, France and Germany have started administrative inquiries into the company’s practices, which they said violated local privacy laws.’ The French DP authority, CNIL, is said to be inspecting Google’s Paris office, and in the US, two members of Congress asked the Federal Trade Commission to provide a review of the situation.
The Australian Privacy Commissioner is also launching an investigation. She said the data collected appeared to be limited but such collection was a "likely breach of the Privacy Act". She has put several questions to Google. "When we have received Google's response to these additional questions we will be in a position to make recommendations about the destruction of data”, said Commissioner Karen Curtis.
In the UK, the Information Commissioner released the following statement: "There does not seem to be any reason to keep the data concerned for evidential purposes. Therefore, in line with the data protection requirement that personal data should be held for no longer than necessary, we have asked Google to ensure that these data are deleted as soon as reasonably possible."
Privacy International has raised the point that the provisions of the UK’s Regulation of Investigatory Powers Act (RIPA) on interception of users' data may apply. It is dissatisfied with the Commissioner’s response, and says that deleting the data would in fact be “destructing evidence."
On 21 May the US Electronic Privacy Information Center (EPIC) asked the Federal Communications Commission to investigate Google’s collecting of user data as violating federal wiretapping legislation. Marc Rotenberg, of EPIC said that when Google collected data sent to and from a residential WiFi account, it violated the Wiretap Act. He said “the Act provides for civil liability and criminal penalties against any person who ‘intentionally intercepts, endeavours to intercept, or procures any other person to intercept . . . electronic communications.”
Writing in the Washington Post on 24 May, Facebook founder Mark Zuckerberg said that they will soon announce changes that will make it easier for users to control and hide user data on the Web. This was a response to the QuitFacebookDay.com, campaign for users to close their social networking accounts, with more than 13,000 users pledged to quit on 31 May. Mr's Zuckerberg wrote that Facebook will make it simpler for its 400 million users to determine who gets to see their profiles, pictures and postings. On 21 May Andrew Noyes said for Facebook that it will make it easier for users to opt out of programs that allow the website to share data with advertisers.
Mr Zuckerberg said that "Simply put, many of you thought our controls were too complex... We missed the mark. In the coming weeks we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services." The week before his article, Facebook announced that it would remove a program that shares user identifications and other information with advertisers when a user clicks on an advertisement, reported the Wall Street Journal.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2010