Alerts and Updates
Data Protection Regulator for Germany's Schleswig-Holstein Calls for European Review of FTC's Safe-Harbor Program
August 6, 2010
An earlier Alert, "German Privacy Regulators Issue Decision on Data Protection and Safe-Harbor Self-Certification of US Companies," analyzed the Düsseldorfer Kreis decision that appeared to undermine the US Department of Commerce's Safe Harbor framework, one of the routes that enables data on individuals in Europe to be transferred to the United States. Following the Düsseldorfer Kreis, another German decision has made data transfer out of Germany potentially more challenging.
As explained in the previous Alert, Germany has a regional rather than federal system of data-protection regulation. Schleswig-Holstein is Germany's northernmost state, bordering Denmark, and includes the towns of Kiel and Lübeck. Thilo Weichert—the data-protection regulator for Schleswig-Holstein—said in a July 23, 2010, press release of Schleswig-Holstein's Unabhängiges Landeszentrum für Datenschutz (Independent Centre for Privacy Protection) that he thinks that the Safe Harbor program should be reviewed, with a view to the European Commission's approval of the deal with the United States being revoked.
There is precedent for this, as previous deals with the United States over air travel and bank information have been overturned. Dr. Weichert's statement made specific reference to a report prepared by Australian consultancy Galexia in December 2008. Dr. Weichert said that Galexia is about to publish new findings that may again convey misgivings about Safe Harbor and its enforcement. He said that the FTC receives more than 2,000 complaints each year that corporations are not in compliance with Safe Harbor, but it has only taken enforcement action against seven corporations in the system's 10-year history.
What This Means for Companies
Dr. Weichert's announcement and the earlier Düsseldorfer Kreis' decision indicate that companies may want to prudently handle any data on citizens of Schleswig-Holstein that is transferred to the United States, where the company or any third party is relying on the Safe Harbor program.
For Further Information
If you have any questions about this Alert, please contact Jonathan P. Armstrong in our London office, Eberhard H. Röhm in our New York office, any of the members of the Information Technologies and Telecom Practice Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.