The German Data Privacy authorities have picked up on the limitations of the US 'Safe Harbor" accreditation system. This system, in theory, makes it legal for EU and UK companies to transfer data to the US by just checking that the US recipient is on the "Safe Harbor" list maintained by the Federal gtrade Commission (FTC).
The German Data Privacy authorities have picked up on the limitations of the US 'Safe Harbor" accreditation system. This system, in theory, makes it legal for EU and UK companies to transfer data to the US by just checking that the US recipient is on the "Safe Harbor" list maintained by the Federal gtrade Commission (FTC).
However, the Safe Harbor accreditation process is one of "self-certification" and studies have shown that many of the companies that claim to be "Safe Harbor Certified" are not, in fact, compliant with the requirements. So, the German authorities have stepped up the requirements and are now saying that companies should seek a copy of the latest annual certification to the U.S. Department of Commerce and an explanation of how the notice principle is complied with.
If a German company wants to go beyond this and verify the actual compliance with the Safe Harbor Principles then it appears necessary to provide a written statement of an independent third party auditing firm that has reviewed the data importer's Safe Harbor compliance.
This develoipment is a clear recognition that the Safe Harbor process simply isn't working and reflects the growing concern over the cavalier attitude to data privacy evidenced by many US companies. With more and more businesses seeking to outsource some form of data processing to US vendors, this is a very interesting development that will call into question the wisdom of using non-EU domiciled data companies.