The European tech industry is firing back against German data privacy chiefs, who announced this week that they would suspend data transfers to the United States and suggested businesses operating in Europe store data only in EU member states.
Tech industry association DigitalEurope said today (28 October) that German data protection authorities’ announcement would “lead to unnecessary market volatility”.
DigitalEurope represents tech companies including giants Google, Apple, IBM and Nokia.
Privacy regulators from the powerful German Länder and German national watchdog announced on Monday (26 October) that they would not allow any data transfers to the US on the basis of binding corporate rules or data transfer contracts. Data protection experts called those alternative legal channels for transfers into question after the European Court of Justice ruled the Safe Harbour agreement illegal on 6 October.
Safe Harbour allowed companies to transfer Europeans’ data to the US if they vouched for high privacy standards, but the ECJ determined that data protection in the US wasn’t on par with EU requirements.
During a debate in the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee on Monday, EU Justice Commissioner Vera Jourova defended contract clauses and binding corporate rules as valid means to transfer data to the US.
The German authorities’ announcement this week shows how the country’s notoriously stringent privacy watchdogs are stepping forward to set up national safeguards on transfers to the US.
But tech companies are concerned the German data regulators’ plans might not be in tandem with authorities in other EU countries.
“The statement of the Germany data protection authorities goes in direct contradiction to the coordinated approach between Member State authorities that we were expecting and the Article 29 Working Party agreed to,” said John Higgins, DigitalEurope’s director general, referring to the meeting of national authorities two weeks ago.
“The restrictions placed on options such as consent are not workable in practice. It is unclear how many small and medium sized companies operating in Germany will be able to continue their commercial activities with these new restrictions,” Higgins added.
Hamburg’s data protection authority announced on Monday that his office would check companies based in Hamburg to see if they are still using Safe Harbour to transfer data to the US—even after the agreement was ruled invalid. Facebook and Google have their German headquarters in Hamburg.
“Whoever wants to avoid the legal and political consequences of the judgment should in the future especially consider storing personal data on servers only within the EU,” said Johannes Caspar, the city’s privacy regulator.
But DigitalEurope is concerned that restricting data so it can’t leave the EU will be a blow to businesses.
“Data localisation clearly isn’t a solution to the surveillance issue, and this needs to be resolved in government-to-government negotiations,” Higgins said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.