Germany to investigate Google, Facebook over data transfers

Recent Safe Harbor ruling has data protection authorities looking at US companies.

Glyn Moody – Oct 27, 2015 5:18 PM | 36

German data protection authorities have announced that they will immediately begin investigating data transfers from the EU to the US by companies such as Facebook and Google, and may issue orders for data flows to be halted.

The recent decision by the Court of Justice of the European Union (CJEU) gave local data protection authorities the power to examine whether data transfers under the Safe Harbour framework breached EU laws. However, it was expected that this would take place only once formal complaints about harm from such transfers had been received from affected members of the public, as in Ireland. Instead, the German data protection authorities have decided to begin investigating on their own initiative, as the German news magazine Der Spiegel reports.

The announcement of the surprise move was made by Hamburg's commissioner for Data Privacy and Freedom of Information, Johannes Caspar. As Ars reported back in 2013, Caspar has been one of the most active in investigating possible breaches of EU privacy laws by Google. Der Spiegel writes that US companies with headquarters in Hamburg will be among the first to be targeted, including Google and Facebook.

Ars Video

As well as the Safe Harbour framework, now effectively useless after the CJEU judgement, both Google and Facebook employ standard contracts and binding corporate clauses in an attempt to keep their data transfers from the EU to the US compliant with EU privacy law. However, the German data protection authorities also have their doubts about whether these alternatives will pass muster either, and say that they will not be granting any new approval for data transfers to the US to take place using them.

Caspar did offer a suggestion for US companies that wish to avoid possible problems in the wake of the CJEU ruling: "Anyone who wants to remain untouched by the legal and political implications of the judgement, should in the future consider storing personal data only on servers within the European Union." However, this is not likely to go down well with US companies, which are pushing hard for solutions that do not involve them building data centres in the EU.

Many are pinning their hopes on the drawing up of a new Safe Harbour agreement. The Wall Street Journal reported yesterday that the EU and the US had "agreed in principle" on a new framework. The European Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told MEPs in Brussels: "There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the [CJEU ruling]."

That won't be easy, since it would seem to require the US authorities to give meaningful assurances that the data of EU citizens held in the US will not be spied on routinely by the NSA, which is unlikely to be forthcoming.