The Impact of German Privacy Laws on IT at US Holding Companies
DEMYSTIFYING TRANSATLANTIC ACTIVE DIRECTORY INTEGRATION BETWEEN THE UNITED STATES AND GERMANY
UNDERSTANDING THE IMPACT OF GERMAN PRIVACY LAWS FOR US HOLDING COMPANIES WANTING TO INTEGRATE ACTIVE DIRECTORY FORESTS IN GERMANY WITH THEIR ACTIVE DIRECTORY DOMAIN IN THE UNITED STATES.
Recently, one of our clients at Brier & Thorn, reached out to us to ask for guidance on connecting the Active Directory forest in their European office in Germany to their forest in their United States office and whether Germany privacy laws would permit or prohibit that data sharing to occur.
Indeed, the connectivity between a Germany subsidiary and it’s parent company is becoming quite prevalent in recent years and a question we are asked on a pretty frequent basis after having recently opened our new Security Operations Center to provide managed security services to our European clients out of Stuttgart, Germany. This article hopes to demystify that question in hopes of providing guidance to IT departments at companies with subsidiaries in Germany wanting to integrate their two Active Directory forests in the United States.
I should preface this article first with the fact that I am not a lawyer and am by no means providing legal advice. Companies are urged to work with their legal counsel in understanding how the Germany Federal Data Protection Act applies to their unique business and the plausibility of transmitting and storing data from their Germany subsidiaries in the United States.
Let’s first quickly explain why this is even a challenge. The Germany Federal Data Protection Act (or Bundesdatenschutzgesetz (BDSG)) is a federal data protection law that together, with the data protection acts of the German federal states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.
Personal Data as defined in the Act means any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject). Under the definition of Personal Relationships, this includes the individual’s Name, Address, Occupation, E-mail, IP Address, or personal number.
With that said, let’s get right to the point.
The role of the US company in this circumstance would be as an “IT service provider” to the German subsidiary, who would process any personal data of the German subsidiary only on behalf of and subject to the instructions of the Germany subsidiary.
It is important to understand that under German data protection laws, a transfer of personal data to a group entity is considered a transfer of personal data to a third-party, as data transfers between affiliated companies are not privileged under German law.
In summary, having personal data of a German subsidiary processed by the US Holding on behalf of the German subsidiary is possible in the context of a centralized IT infrastructure provided that all of the following conditions are met:
The transfer is necessary to safeguard justified interests of the German Subsidiary (which can be the economic / administrative interest in the centralization of Active Directory) and there is no reason to assume that the data subject has an overriding legitimate interest in his data being excluded from the transfer (Section 28 para. 1 no. 2 of the German Federal Data Protection Act (BDSG). The German Subsidiary’s legitimate interest may include economic interests, such as cost savings achieved through the centralization of Active Directory in the United States. Furthermore, the processing must be necessary with regard to the type of data and scope of processes to safeguard these interests. In regards to the employee’s interest, if the processing is limited to basic IT administrative data, such as just a username, password, full name, etc, and as long as no private data of the employee is transmitted and stored, the US holding Company has a strong argument that the employee’s opposing interests are less significant and thus not overriding the German entity’s interest;
No sensitive personal data is transferred to or processed in the United States (so-called special categories of personal data (Section 3 para. 9 BDSG: Special Categories of Personal Data) means information on a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health, or sex life), which an Active Directory account should not contain; and
An adequate level of data protection is established for the US Holding Company (as a country outside of the EU/EEA), which following the recent ECJ Safe Harbor decision of 06 October 2015, can no longer be based on the US FTC’s Safe Harbor Program. To meet this data protection requirement, the US Holding Company must:
Sign the so-called EU Model Clauses for Controller-to-Processor relationships with the German Subsidiary issued by the European Commission (also referred to as a Standard Contractual Clauses / SCC), including certain amendments required by the German data protection authorities (or as a mid-term contract) to establish so-called Binding Corporate Rules (BCR) between the two entities.*
*Currently, the German and European data protection authorities are still in the process of evaluating whether the ECJ Safe Harbor decision also impacts the validity of the EU Model Clauses and/or of Binding Corporate Rules. While it can currently not be excluded that the EU Model Clauses, as currently being used, may be judged insufficient to justify US data transfers, signing EU Model Clauses currently is the only quickly implementable option at hand to establish an adequate level of data protection between Germany and the US.
October 2015 Court of Justice of the European Union on Safe Harbor Ruling
On October 06, 2015, the Court of Justice of the European Union declared the Safe Harbor framework of the United States invalid as a mechanism to legitimize transfers of personal data from the EU to the US. The court’s view is that Safe Harbor is unable to prevent large-scale access by the U.S. Intelligence Community to data transferred from Europe, and therefore does not provide an adequate level of data protection.
In closing, yes, the integration of an Active Directory forest in a Germany subsidiary to it’s parent company in the United States is possible, so long as the appropriate agreements are defined and put into place that meet the requirements of the EU Model Clauses for Controller-to-Processor relationships and that no data transmitted and processed by the US holding company does not contain data that is classified as “special category” as defined by the BDSG.
Working Document on Model Clauses for Personal Data Transfers from EU data processors to Non-EU sub-processors
Working Party 29 issued a working document onb model clauses for personal data transfers from EU data processors to non-EU sub-processors. This document is an important step towards creating a more comprehensive framework for contract-based personal data transfers outside the EEA. It can be downloaded here.