On June 6, 2016, the Hamburg Commissioner for Data Protection imposed fines on three internationally operating companies for still relying on Safe Harbor as the basis for their data transfers to the U.S.
Following the European Court of Justice’s (ECJ) decision in October 2015 that invalidated the EU-U.S. Safe Harbor regime, the Hamburg Data Protection Commissioner assessed the data transfer practices of 35 internationally operating companies with office locations in Hamburg. The Commissioner found that six months after the ECJ decision most companies had properly re-organized their data transfers but that this had not been the case with regard to the three companies now fined. And there may be more to come as proceedings against other companies are still pending.
The fines imposed were only between EUR 8.000 and EUR 11.000 because the three companies had already adjusted their data transfer practices during the proceedings. Future infringements, however, are likely to be fined more severely.
The Hamburg proceedings are the first high-profile example of European data protection authorities investigating and enforcing the ECJ’s Safe Harbor decision. While the Hamburg Commissioner is known to apply data protection laws very strictly, it can be expected that more data protection authorities in Germany and the EU will follow his example and start their own investigations. Therefore, the grace period for implementing the Safe Harbor decision can be considered officially over. If they have not already done so, companies should thus immediately assess whether their international data transfers are still based on Safe Harbor and, if this is the case, adjust them to comply with EU law by adopting alternative solutions such as EU Model Clauses or Binding Corporate Rules.
In the meantime, the EU and the U.S. continue to work on a succeeding regime for Safe Harbor: the “EU-U.S. Privacy Shield”. The first draft of the Privacy Shield was heavily criticized by various stakeholders, including the influential Article 29 Working Party. As a result, the EU Commission confirmed further review and amendment of the draft. Currently, it remains unclear if and when a final agreement between the U.S. and the EU will be reached and what requirements it will provide for. Companies should therefore not rely on the Privacy Shield being in place any time soon, but should act now and implement alternative solutions to legalize their transatlantic data flows.