Safe Harbor Alternatives Deemed Invalid by German Privacy Officials

By Joseph D. McClendon and Daniel L. Farris

In another blow to U.S. companies that wish to transfer personal information out of the EU, German privacy officials issued a position paper stating that standard contractual clauses and binding corporate rules, two alternatives to Safe Harbor, are no longer viable alternatives to Safe Harbor.

In their place, the German data protection authority (DPA) recommends that individuals be given comprehensive information about the lack of information security and data protection laws in the U.S. before giving consent to having their personal information transferred to the U.S. To give informed consent, the German DPA suggests that the individual would have to be told about the U.S. government’s unrestricted ability to access personal information; the lack of rights the individual has regarding protection of personal information in the U.S.; and the U.S. government’s failure to adopt the European Union’s privacy principles.

Despite that recommendation, the German DPA concludes that even informed consent may not be a reasonable option given the U.S. government’s domestic mass surveillance program which was exposed by Edward Snowden in 2013.

This paper is yet another ripple in the aftermath of the European Court of Justice’s September ruling that the EU Commission’s Safe Harbor decision is invalid. With the Israeli Law, Information and Technology Authority (ILITA) having already revoked authorization for U.S. businesses to use the Safe Harbor exception to transfer data from Israel to the U.S., expect more EU countries and EU allies to limit or outright restrict data transfer to the U.S. until the U.S. government adopts stronger privacy standards and ends unrestricted domestic surveillance.