The European tech industry is firing back against German data privacy chiefs, who announced this week that they would suspend data transfers to the United States and suggested businesses operating in Europe store data only in EU member states.
Tech industry association DigitalEurope said today (28 October) that German data protection authorities’ announcement would “lead to unnecessary market volatility”.
DigitalEurope represents tech companies including giants Google, Apple, IBM and Nokia.
Privacy regulators from the powerful German Länder and German national watchdog announced on Monday (26 October) that they would not allow any data transfers to the US on the basis of binding corporate rules or data transfer contracts. Data protection experts called those alternative legal channels for transfers into question after the European Court of Justice ruled the Safe Harbour agreement illegal on 6 October.
Safe Harbour allowed companies to transfer Europeans’ data to the US if they vouched for high privacy standards, but the ECJ determined that data protection in the US wasn’t on par with EU requirements.
During a debate in the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee on Monday, EU Justice Commissioner Vera Jourova defended contract clauses and binding corporate rules as valid means to transfer data to the US.
The German authorities’ announcement this week shows how the country’s notoriously stringent privacy watchdogs are stepping forward to set up national safeguards on transfers to the US.
But tech companies are concerned the German data regulators’ plans might not be in tandem with authorities in other EU countries.
“The statement of the Germany data protection authorities goes in direct contradiction to the coordinated approach between Member State authorities that we were expecting and the Article 29 Working Party agreed to,” said John Higgins, DigitalEurope’s director general, referring to the meeting of national authorities two weeks ago.
“The restrictions placed on options such as consent are not workable in practice. It is unclear how many small and medium sized companies operating in Germany will be able to continue their commercial activities with these new restrictions,” Higgins added.
Hamburg’s data protection authority announced on Monday that his office would check companies based in Hamburg to see if they are still using Safe Harbour to transfer data to the US—even after the agreement was ruled invalid. Facebook and Google have their German headquarters in Hamburg.
“Whoever wants to avoid the legal and political consequences of the judgment should in the future especially consider storing personal data on servers only within the EU,” said Johannes Caspar, the city’s privacy regulator.
But DigitalEurope is concerned that restricting data so it can’t leave the EU will be a blow to businesses.
“Data localisation clearly isn’t a solution to the surveillance issue, and this needs to be resolved in government-to-government negotiations,” Higgins said.