German privacy regulators have announced an investigation into data transfers from the European Union to the U.S. from companies such as Google and Facebook.
The decision follows a bombshell court ruling that invalidated a key data-flow agreement between the United State and EU.
The surprise move come just as the EU said it had struck a deal in principle with the United States on a new agreement to allow companies to legally transfer information between borders.
Observers expected privacy regulators to wait until there was demonstrative harm against an EU citizen before taking action in the wake of the court’s decision, but Germany’s announcement suggests that its data protection agency will be proactively investigating companies for illegal transfers.
U.S. firms with headquarters in Germany — including Facebook and Google — will be the first to be targeted, Der Spiegel reports.
Although European regulators have tried to reassure companies that alternative means of legally transferring data remain available to them, Germany also cast doubt on the validity of other transfer mechanisms in a working paper put out this week.
Germany is seen as one of the toughest nations on privacy in the EU.
Onlookers say the announcement adds to an already uncertain regulatory environment, as companies wait anxiously for guidance from both EU data regulators and negotiators who are hammering out a new international agreement.
Businesses that operate across the Atlantic have been watching closely to see how Europe’s various data protection authorities will react in the wake of last month’s court ruling, which struck down the so-called Safe Harbor agreement.
The 15-year-old framework made it legal for U.S. firms to transfer and house European citizens’ data. According to the court, because of its surveillance practices, the U.S. cannot be seen as adequately protecting privacy rights.
Over 4,000 firms relied on Safe Harbor to handle EU data, although not all depended exclusively on the framework. Many larger firms, such as Facebook, also had additional privacy mechanisms in place.
Germany called into question some of the better-known alternatives, including standard contractual clauses and what is known as Binding Corporate Rules, which are internal policies that international companies can use to ensure data transfers protect individual privacy even in countries that don’t meet EU standards.
The court provided no grace period for companies to comply in the absence of Safe Harbor. Critics say that without more guidance from regulators, the ruling opened the door for a patchwork system of country-to-country enforcement as lower courts take on more cases like the original complaint.
Earlier this month, a working group of data protection authorities gave the European Commission and the United States three months to come up with an alternative to Safe Harbor before they took enforcement action.
The authorities’ statement also advised businesses to “reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection.”
Justice Commissioner Vera Jourova told European lawmakers on Monday that the two sides are close to concluding talks and that an updated Safe Harbor agreement could be finalized in the coming months.
“There is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court,” Jourova said.