European companies should stop sending data to the US, German privacy officials say

The exchange should stop because of NSA spying, privacy advocates said

The European Commission should suspend agreements that allow European companies to transfer personal data of European citizens to the U.S., the German Conference of Data Protection Commissioners has urged.

The Commission, meanwhile, is working on an assessment of the agreements that it will present before the end of the year.

Due to the mass surveillance of communications by the U.S. National Security Agency (NSA), U.S. companies can no longer fulfill European requirements for the exchange of personal data, said Germany's Conference of Data Protection Commissioners in a joint letter sent to German chancellor Angela Merkel that was published on Wednesday. The conference consists of the federal data protection commissioner and the data protection commissioners of the German states.

The European Commission's data protection directive prohibits the transfer of personal data to non-E.U. countries that do not meet E.U. standards for privacy protection. To allow exchange of personal data with U.S. organizations, the U.S. Department of Commerce and the European Commission developed a "Safe Harbor" framework, allowing E.U. companies to keep exchanging personal information within the bounds of the agreement.

Under the Safe Harbor conditions companies, for example, must show that they prevent penetration of their networks, Imke Sommer, the Bremen Commissioner for Data Protection and Freedom of Information said on Thursday. She added, however, that, "As we know by now there is no safe network, the NSA is watching."

Therefore, the German data protection authorities have asked the Commission to suspend the Safe Harbor agreements and review whether U.S. companies can still comply with them, she said. If the agreements are suspended, that would mean that no European company would be allowed to send personal data to the U.S., Sommer said.

"The Safe Harbor agreement may not be so safe after all," said Viviane Reding, vice president of the European Commission and the commissioner responsible for justice, fundamental rights and citizenship at the informal Justice Council in Vilnius last Friday. "U.S. data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year."

The European Parliament and European industry have also been asking for a review, and the Commission will take note of the call from data protection and privacy advocates in Germany for an assessment, a Commission official said on Thursday.

Because German authorities have deemed the Safe Harbor principles violated, they have also urged companies in the country to stop the exchange of personal data with the U.S., Sommer said. If the companies are unable to prove that the data of German citizens sent to the U.S. is safe, the authorities can order them to stop sending data to the U.S., she said.

"All European data protection authorities can start doing this," Sommer added.

However, not all data protection authorities agree with the German authorities.

The Irish Office of the Data Protection Commissioner (ODPC) said on Tuesday that the exchange of personal data of Irish subsidiaries of Facebook and Apple with the U.S. is in line with Safe Harbor principles, according to documents published by the Austrian student group Europe-v-Facebook on Thursday.

In late June, student group Europe-v-Facebook filed a barrage of complaints against European subsidiaries of major technology companies, claiming their data collection runs afoul of European privacy laws. The complaints were filed in Ireland against Facebook and Apple, in Luxembourg against Skype and Microsoft, and in Germany against Yahoo.

The group said that companies such as Facebook Ireland should not be allowed to export Europeans' data to the U.S. if the data is then forwarded to the NSA for massive surveillance of personal information without probable cause, the group said in a news release.

The complaints were filed after former NSA contractor Edward Snowden leaked documents revealing NSA surveillance programs.

In a formal response to Europe-v-Facebook, however, Irish data protection authorities said that they see no breach of safe harbor protections.

"We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is 'Safe Harbor' registered," wrote Ciara O'Sullivan, senior compliance officer of the Irish ODPC.

"I can advise that we do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that 'Safe Harbor' requirements have been met and on that basis we cannot identify that a contravention of the Acts has taken place," she added in a follow-up email to the group on Wednesday.

"The Germans see a major breach of fundamental rights, while the Irish do not even see a reason for an investigation," said Max Schrems, a spokesman for Europe-v-Facebook. "We are very confident that the decision in Germany will be more substantial and very different than in Ireland."

On Thursday, a broad coalition of mainly German civil rights organizations published a list of 12 demands directed at policy makers in reaction to the NSA surveillance program.

The open letter was signed by groups including the German digital rights group Digitale Gesellschaft, Greenpeace Germany, the German Journalist Association, the Electronic Frontier Foundation and the Chaos Computer Club.

The groups called on governments, national parliaments and European institutions for a consistent implementation and defense of the fundamental rights to privacy and data protection. They also want an obligation to individually notify affected persons after every act of digital surveillance or inspection and called for the disclosure of every agreement, law and action that has an adverse effect on the right to informational self determination.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleYahooskypeGoogleMicrosoftsecuritylegalprivacyFacebook

More about AppleElectronic Frontier FoundationEuropean CommissionEuropean ParliamentFacebookIDGMicrosoftNational Security AgencyNSAPrismSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place