Sept. 16 — New guidelines from one of Germany’s 16 state data protection regulators could shed some light on how the nation’s other enforcers will implement the European Union-U.S. Privacy Shield, data protection attorney told Bloomberg BNA Sept. 16.
The guidance, issued Sept. 12 by the data protection authority (DPA) of the German State of North Rhine-Westphalia (NRW), applies only to NRW and is meant to be an overview of the Privacy Shield and gives advice on the agreement’s implementation.
Carlo Piltz, a data protection attorney at JBB in Berlin, told Bloomberg BNA Sept. 16 that “we will have to wait and see how other DPAs react to this first set of guidelines and if they publish their own.” Plitz said that “the conference of all German DPAs might also publish an opinion on the implementation of Privacy Shield.”
The guidelines list requirements for companies that transfer data to a U.S. company under the Privacy Shield.
The Privacy Shield replaces the now defunct U.S.-EU Safe Harbor Program (22 PRA, 2/3/16). Over 4,400 U.S. companies relied on the Safe Harbor to transfer data from the EU to the U.S. in compliance with EU data protection law. The companies self-certified with the U.S. Department of Commerce under the Safe Harbor, and thousands of EU companies also relied on those certifications to send personal data to those companies.
More Guidelines Likely in Future
“The DPA explicitly states that the data controller has to fulfill certain additional ‘verification obligations,’” Piltz, said.
“These obligations concern tasks like assuring the U.S.-based company holds valid certification and complies with the requirements of the Privacy Shield.”
Companies must also check to see if the transferred data itself is covered by the certification, Piltz said.
“This might require major efforts from German companies if it is interpreted in a way that the data controller has to assess the U.S. company’s fulfillment of all the Privacy Shield principles,” he said.
Businesses must now regularly assess whether U.S. companies still fulfill these verification obligations, according to Piltz.
“In the DPA’s eyes, German businesses can’t just conclude a data processing agreement with a self-certified company and then transfer their data to the U.S.,” he said. “More effort on their part is required,” Piltz said.
The DPA also clarified that it reserves the right to suspend data transfers to U.S. companies under Privacy Shield depending on the outcome of annual reviews by the European Commission and the Department of Commerce, Piltz said.
Because further coordination between German and European DPAs on the implementation of Privacy Shield is required, these guidelines will be continuously updated and expanded, the DPA said in its guidelines.