The striking down of the Safe Harbor data sharing agreement by the European Union's highest court on Oct. 6 left a legal vacuum that European Commission officials immediately sought to fill with a reminder of the legal alternatives available and promises of coordinated action by national privacy regulators, who responded with their own reassurances on Oct. 16.
But on Monday night, German data protection registrars at the state level called into question many of the points agreed on by the national regulators, and left companies little alternative but to store the data of European citizens in Europe.
EU law requires that companies exporting the personal information of EU citizens do so in a way that guarantees it privacy protection equivalent to that provided at home. The Safe Harbor self-certification program was one of the mechanisms by which companies could provide that guarantee, until the Court of Justice of the European Union declared it invalid.
Companies reliant on it suddenly found themselves unable to make such transfers legally, until they could adopt an alternative legal mechanism such as binding corporate rules or model contract clauses, or obtain unambiguous and informed consent from those whose data they were transferring.
EU national data protection authorities meeting together as the Article 29 Working Party said on Oct. 16 that they consider those alternative mechanisms valid, although they are still completing their legal analysis of the CJEU ruling. They warned companies still relying on Safe Harbor that they are now operating illegally, and urged them to consider what technical or legal steps they need to take to protect the personal data they handle.
The working party's members declared something of a truce until the end of January, at which point they said they would consider coordinated enforcement actions to ensure companies complied with data protection requirements.
There'll be no data truce in Germany, however. Hamburg's data protection registrar will immediately begin auditing German subsidiaries of U.S. companies registered under the Safe Harbor agreement, and it could issue prohibition orders, it warned. A position paper it published with other state regulators makes clear that they too will block any data transfers they discover are relying on Safe Harbor for their legal justification.
But it gets worse for businesses: The state regulators also questioned whether binding corporate rules and model contract clauses offered sufficient privacy guarantees under EU law, and said that with immediate effect they will grant no new approvals for data transfers under these mechanisms.
That leaves businesses with just one possibility for exporting personal information: obtain the consent of the data subject. Even this consent, though, will not satisfy the German regulators if the data transfers are massive, repetitive or routine. Furthermore, companies should only export the personal data of their employees in exceptional circumstances, they said.
So where does that that leave companies? Hamburg's Commissioner for Data Protection and Freedom of Information, Johannes Caspar, spelled it out: "Anyone who wants to escape the legal and political implications of the CJEU judgment should in future consider storing personal data only on servers within the EU."
That's upset John Higgins, director-general of DigitalEurope, an industry lobby group representing Apple, BlackBerry, Google, Microsoft, Oracle and SAP, among others. He warned that the German authorities' refusal to approve new binding corporate rules or model contract clauses will lead to unnecessary market volatility.
"The restrictions placed on options such as consent are not workable in practice. It is unclear how many small and medium sized companies operating in Germany will be able to continue their commercial activities with these new restrictions," Higgins said.
At least one category of business will be happy: Hosting companies with servers in Europe. The Germans' move is a dream come true for companies like Zettabox that guarantee that Europeans' personal data will be hosted in Europe.
"Companies of all sizes will need to look to providers that can successfully answer the question 'Where is my data?'" said Alexander Guy, Zettabox's head of sales and business development.
Expect a flurry of service announcements -- particularly in Germany.