Germany is again taking the lead on cross border data transfers, this time focusing on cloud and SaaS ramifications. Ten German Data Protection Authorities are working together to audit five hundred companies regarding their international data transfer practices. Earlier this year Germany issued the first fines for unlawful cross-Atlantic data transfers in light of Safe Harbor's invalidation, with the promise of larger fines to come.
The enquiry is, in part at least, an awareness campaign. The DPAs cite the enormous growth of personal data crossing borders, particularly with the use of SaaS and cloud services. Many companies, the DPAs say, may not realize the extent to which data flows out of the EU with the use of those services. They may also be unaware of data protection requirements that accompany the data flows. The enquiry process will increase the awareness of privacy laws and the requirements of compliance.
The Berlin DPA is leading the group of 10 DPAs in this campaign. They will select 500 companies in Germany, ranging in size, and representative of many industry segments. Each company will be given an extensive questionnaire that explores trans-border transfer of personal data, the use of cloud services, and processes for protection of the data. The answers will be evaluated, and if the DPAs find matters unsatisfactory they will investigate further.
Companies will be asked specific questions about products and services from providers outside the EU or EEA. The companies must note what services they use in areas such as CRM, chat and messaging, recruitment, marketing, cloud services and others. For each acknowledged service the company then explains the means used to ensure adequate data protection. Company management and the data protection officer then sign the questionnaire to confirm its accuracy.
Germany has used questionnaires in the past, and has initiated investigations based on answers. Any company that receives one should take it very seriously, and expect the answers will be verified for accuracy by the DPA. While the stated objective of the enquiry is fact finding and awareness building, its not clear if penalties would be imposed if unlawful transfers are taking place. German law allows for fines up to EUR 300,000.