Nov 72016

German Data Protection Authorities to Audit 500 Companies

William RM Long, Colleen Theresa Brown and Francesca Blythe
, ,

Ten state German data protection authorities announced on 3 November 2016 that they would be conducting a review of approximately 500 companies in respect of their international transfers of personal data. Under EU data protection laws, there is a general prohibition on transfers of personal data to countries outside the European Economic Area (“EEA“), which do not ensure an adequate level of protection, such as the US, unless certain exemptions apply. Exemptions include, for example, consent of the data subjects, EU-US Privacy Shield certification, Binding Corporate Rules and EU data transfer agreements known as “Model Contracts.”

The audit initiative is consistent with recent enforcement action and policy statements repeatedly made by several German data protection authorities in the wake of the invalidation of the Safe Harbor in the fall of 2015.  The Privacy Shield has since replaced Safe Harbor, available for certification as of August 1, 2016.

We understand that the 500 companies will be randomly selected for the audit and according to the Bavarian data protection authority “great importance [has been placed] in involving companies of different sizes and different sectors.” Those companies selected will receive requests in due course to provide product and service specific information as well as the legal basis on which they transfer personal data outside of the EEA. The looming audits highlight the importance of ensuring robust privacy programs are in place, and attending to global international data transfer solutions despite ongoing scrutiny over key transfer solutions Model Contracts and Privacy Shield.

William RM Long

London

wlong@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.