When we talk to customers and prospects about enterprise software in the cloud – such as Google G Suite – we often encounter reservations about privacy and data security. Do US companies such as Google, Microsoft & Co. really maintain the high standards that are legally binding in Germany and the EU? Attorney Wikey Chada takes a look at the facts.
General personality rights are not explicitly mentioned in the Basic Law for the Federal Republic of Germany (Grundgesetz, GG), but a decision made by the Federal Constitutional Court (BVerfG) in 1954 and a large number of subsequent rulings1 deriving from Article 1 (1) GG guarantees respect for human dignity in connection with the fundamental right conferred by Article 2 (1) GG on the right to free development and expression of one’s personality. As such, an individual’s general personality rights also includes the right to self-determination regarding personal data2 and thus also the right to the protection of their personal data, or in short, data protection.
However, data protection is a fundamental right not only in Germany, but also within the European Union (Art. 8 Charter of Fundamental Rights of the European Union) and is therefore comprehensively protected by law throughout Europe. For example, the European Union’s Data Protection Directive 95/46/EC prohibits the transfer of personal data to third countries whose data protection is not comparable with that of the EU. Data privacy is not so widely protected in the United States, where the world’s largest internet companies are located in Silicon Valley, among other places.
To ensure that data traffic in an increasingly digital world between the does not come to a standstill, the EU concluded an agreement with the U.S. at the beginning of the new millennium3, under which the U.S. government had to draft regulations to ensure sufficient protection for the personal data of EU citizens. U.S. companies could join the so-called Safe Harbor agreement as per the rules drafted by the U.S., if they committed themselves to comply with the data protection regulations established there.
However, after the safe-harbor agreement was annulled by the European Court of Justice (ECJ) in its safe-harbor ruling in September 2015 (Case No. C-362/14)4 due to various violations of fundamental rights, negotiations between the EU and the US on a new agreement, led by EU Justice Commissioner Vera Jourová, began to develop a new agreement that would provide a sufficient basis to reach a satisfactory solution.
The result of these negotiations between the EU and the U.S. was the EU-U.S. Privacy Shield5. This consists of a large number of assurances by the U.S. federal government under Barack Obama on data protection and the EU Commission’s so-called adequacy decision6 where the EU Commission is responsible for ensuring that transatlantic data traffic is reasonably secure, as per the high level of protection afforded by the EU-U.S. Privacy Shield, within the meaning of the EU data protection law7.
The explicitly stated goal of the Privacy Shield is to restore confidence in transatlantic data traffic8.
The core elements of the Privacy Shield are as follows:
Adequate level of data protection
The EU Commission’s decision in Articles 1 to 6 states that the U.S. ensures an adequate level of protection for personal data from the EU area, following the numerous assurances given by the U.S.9
Companies that import or exchange data must undergo an annual re-certification process and are then published on the Privacy Shield List10. Since its introduction, more than 2,400 U.S. companies have been certified.
In contrast to the safe harbor agreement, the Federal Trade Commission (FTC, an independent authority for consumer protection), the U.S. Department of Transportation (DOT) and the U.S. Department of Commerce (DOC) are to ensure compliance with companies’ voluntary commitment11.
The following overview shows a rough outline of their responsibilities:
- As a consumer protection agency, the FTC has numerous civil law powers to promote consumer protection in order to prevent unfair or misleading acts by companies with regard to breaches of data protection and to monitor compliance with the provisions. In addition, it implements policy initiatives to enforce data protection and acts with other authorities to initiate criminal law procedures.
- The DOT investigates violations of the EU-U.S. Privacy Shield and takes enforcement actions against companies acting unfairly (particularly injunctions and orders to impose civil liability sanctions in the event of violations). It monitors compliance with the measures and publishes their findings in public.
- The DOC maintains the Privacy Shield list, which includes certified companies and/or states the reasons why companies were removed from the list because of unfair practices. In addition, the DOC ensures that certified companies provide free, independent ombudsman services for EU citizens and are subject to the jurisdiction of the FTC, DOT and other enforcement bodies.
Access rights of the American authorities
The EU Commission called for adequate access rights to enforce effective protection of privacy12 referring to U.S. law, which has been tightened up on crucial points since 201313 and incorporates supervisory measures against companies. It should be noted that the EU Commission has thoroughly reviewed the establishment of effective legal protection, according to which legal means are available to the EU private individuals in the U.S. to enforce data protection14.
Annual inspection obligations of the EU Commission
Finally, it should be noted that the EU Commission has undertaken to examine whether the appropriate level of data protection in the U.S. is being maintained as agreed15. The first audit report was to be made available in the second week of October 2017, as EU Justice Commissioner Vera Jourová announced on 21 September 201716. It will be interesting to see whether America, under President Donald Trump and his “America first” policy, feels bound by the Obama administration’s agreements. However, thousands of jobs on both sides of the Atlantic depend on secure transatlantic data traffic, so it remains in the interest of the United States to comply with the agreement.
In any case, there is currently legal certainty for companies that transatlantic data traffic to companies certified under the Privacy Shield as based on the currently fully applicable Privacy Shield agreement.
Google committed to the EU-U.S. Privacy Shield in September 25, 2016 and has since been certified under the agreement17. Any traffic to Google’s servers located in the United States is therefore subject to the Privacy Shield agreement. In addition, Google operates data centers on the European continent, so that the issue of joining the Privacy Shield does not apply, as the data remains within the EU.
Wikey Chada (Xing, LinkedIn) is a lawyer (www.chada-law.de) based in Wiesbaden. His current practice focuses on German and international commercial law, in particular in the areas of IT law, data protection law, copyright law, other areas of industrial property law as well as tax law and corporate law.
If you are considering using Google technology within your company, //SEIBERT/MEDIA and lawyer Wikey Chada will be happy to help you: Contact us!
 Insbesondere in dem sog. Lebach-Urteil aus 1973: BVerfGE 35, 202 ff. Abgerufen am 15.09.2017.
 Erstmals in seinem Volkszählungs-Urteil aus 1983: BVerfGE 65, 1 ff. Abgerufen am 15.09.2017.
 Entscheidung der Kommission vom 26. Juli 2000 (PDF) gemäß der Richtlinie 95/46/EG des Europäischen Parlaments und des Rates über die Angemessenheit des von den Grundsätzen des “sicheren Hafens” und der diesbezüglichen “Häufig gestellten Fragen” (FAQ) gewährleisteten Schutzes, vorgelegt vom Handelsministerium der USA. In: Amtsblatt der Europäischen Gemeinschaften, 25. August 2000, L215/7. Abgerufen am 15.09.2017.
 Europäischer Gerichtshof: Pressemitteilung Nr. 117/15 zum Urteil in der Rechtssache C-362/14 – Maximilian Schrems / Data Protection Commissioner. Abgerufen am 15.09.2017.
 Pressemitteilung der Europäischen Kommission vom 29.02.2016 über das EU-US-Datenschutzschild. Abgerufen am 15.09.2017.
 Beschluss der EU-Kommission vom 12.06.2016 (Sog. Angemessenheitsbeschluss). Abgerufen am 15.09.2017.
 Pressemitteilung der Europäischen Kommission vom 12.07.2016. Abgerufen am 15.09.2017.
 Siehe insoweit die Überschrift der Pressemitteilung aus Fußnote 5.
 Artikel 1 bis 6 aus dem Beschluss der EU-Kommission. Abgerufen am 15.09.2017.
 Sog. Privacy Shield List. Abgerufen am 15.09.2017.
 Erwägungsgrund 30 ff. des Beschlusses der EU-Kommission. Abgerufen am 15.09.2017.
 Erwägungsgrund 52 in Verbindung mit Anhang II, Absatz I Nr. 5 aus dem Beschluss der EU-Kommission. Abgerufen am 15.09.2017.
 Erwägungsgrund 55 ff. des Beschlusses der EU-Kommission. Abgerufen am 15.09.2017.
 Erwägungsgrund 91 ff. des Beschlusses der EU-Kommission. Abgerufen am 15.09.2017.
 Erwägungsgrund 120 ff. des Beschlusses der EU-Kommission. Abgerufen am 15.09.2017.
 Pressemitteilung der EU-Kommission vom 21.09.2017. Abgerufen am 30.09.2017.
 Privacy Shield List. Abgerufen am 30.09.2017.