Privacy officials in Germany penned a position paper arguing that standard contract language and binding corporate rules do not adequately provide data protections necessary for legal U.S.-EU data flows. These two data transfer alternatives to Safe Harbor are not viable.
The German data protection authority (DPA) recommended a path of informed consent. U.S. companies should provide potential EU partners full disclosure of how U.S. information security and data privacy laws lack protections equivalent to the EU’s laws. Before consenting to data transfers with U.S. organizations, EU companies must be made aware of the U.S. government’s ability to access data and personal information. But it doesn’t stop there. The DPA asserted that discrepancies between individual privacy rights in the U.S. and EU should be clarified, as well as the U.S. government’s shortcomings in abiding by EU privacy standards.
However, the German DPA warned that providing these disclosures may still not be enough considering the U.S. mass surveillance programs brought to light in 2013 by Edward Snowden.
The position paper may be a harbinger of developments in the era beyond Safe Harbor invalidation. In fact, the Israeli Law, Information and Technology Authority (ILITA) has also disallowed U.S. businesses to conduct data Israel-U.S. data transfers under Safe Harbor exceptions. EU countries and allies may follow in stride under the U.S. government agrees to elevated privacy principles or limits its unchecked national surveillance program.