Buried deep in my article Cross-border discovery and privacy gaps widen thanks to PRISM and trolls was a reference to an article by Hunton & Williams called German DPAs Halt Data Transfer Approvals and Consider Suspending Transfers Based on Safe Harbor, EU Model Clauses.
I should, perhaps, have put that at the top of my article, because it is probable that its significance – which appears clearly from its heading – may have been missed in amongst the other topics covered. It was, perhaps, the most important single thing in what was a long article.
Those who find it necessary to collect data for the purposes of US civil litigation, or in order to comply with a regulatory requirement, are used to the difficulties which are posed by the conflict between broad US discovery requirements and EU restrictions. The general message, from me at least, is that almost anything reasonable is possible, provided that the legal and technical difficulties are identified promptly and shared with opponents, courts or regulators, and provided that technology is used in-country to identify and filter out personally identifiable information (PII), both prerequisites for any attempt to win agreement from the demanding party, or obtained from the court by reference to the adequacy of the steps taken.
The threat from the German data protection authorities raises the game somewhat. The apparent restrictions extend beyond the personally identifiable information which is the usual concern, and to all data as a result of fears about US analysis and the use which might be made of it.
A timely article has appeared from international law firm Taylor Wessing. Called Germany: will data transfers to the US become unlawful due to PRISM? it summarises clearly what is known of the likely attitude of German authorities on the information presently available.
The article makes the point that many data transfers are allowed at present because they are data-controller-to-data-controller transfers with EU-standard contractual clauses or are made under Safe Harbor. What is easily overlooked, however, is that neither of these are free-standing get-out clauses and neither of them make lawful activities which would fall foul of the regulations in their home countries. All the data protection principles must be complied with, including provisions which require that data be kept only for the purpose of which it was collected, and only for as long as it is needed for that purpose, together with provisions as to consent. What we now know about NSA and PRISM may undermine the premises on which permission for transfers is usually granted or (where permission is not required) in the analysis which data controllers are required to make before transferring data.
It is these considerations, among others, which are often overlooked by those requiring or seeking to give US discovery. Safe Harbor does not bypass the other requirements nor, on its own, give protection for data transfers which would otherwise fall foul the regulations.
In this context, you might like to read two things. The first is a letter from the Irish information Commissioner to Apple concerning data transfers. Note the references both to EU reconsideration in the light of PRISM and to the specific circumstance of transfers to combat criminal or terrorist activities which are to be distinguished from the demands of civil litigation
The second is the section in the UK Information Commission Office’s guide to Principle 8, which sets out clearly the need to meet the requirements under all Principles, rather than treating the Principle 8 exemptions as freestanding authority to make transfers.
We must wait and see what the true effect is of the decision by the German DPAs, and how that plays out in the evolving PRISM story.
My thanks to Mary Mack at ZyLAB for pointing us to the Irish Data Protection Commissioner’s letter.