For the first time since the Safe Harbor was invalided by the European Court of Justice in October 2015 (see related blogs here, here, and here), an EU regulator has issued fines to three companies that continued to rely on the Safe Harbor to transfer data from the EU to the U.S.
The Hamburg Data Commissioner, which has jurisdiction over companies that have German headquarters located in Hamburg, issued the fines this week, following a months-long investigation. The regulator investigated 35 companies after a three-month enforcement grace period, and concluded that all but three had implemented alternative transfer mechanisms (such as standard contractual clauses). The regulator therefore found that the transfer of data from these three companies to the U.S. was unlawful and without any legal basis.
According to a report by Spiegel (available in German only), the three companies are Adobe, Punica, and Unilever, and the fines ranged from EUR 8,000-11,000. These fines are minor in comparison to the EUR 300,000 that the regulator was permitted to impose. The alternative transfer mechanisms the companies implemented during the course of the investigation likely reduced the fines. The regulator, however, warned that stricter measures could be imposed for future violations. Another German DPA, the Rhineland-Palatinate data protection authority, is currently investigating 16 companies within its jurisdiction for continuing to rely on the Safe Harbor for data transfers.
While the EU-U.S. Privacy Shield (the potential Safe Harbor successor) is still under discussion and has not yet been enacted, companies that have operations in the EU, and particularly in Germany, should evaluate whether they need to update their mechanisms for transferring data to the U.S. As we noted in a previous blog, even standard contractual clauses are under close scrutiny in Europe and may be invalidated based on similar grounds as the Safe Harbor, but they presently remain valid and are in many cases the only practical option.