German DPA Fines Three International Companies For Relying on Invalidated EU-US Safe Harbor | Practical Law

German DPA Fines Three International Companies For Relying on Invalidated EU-US Safe Harbor | Practical Law

The Data Protection Authority of Hamburg (DPA) announced that three international companies have been making illegal data transfers to the US pursuant to the now-invalid EU-US Safe Harbor Agreement. The DPA fined each company €11,000 or less.

German DPA Fines Three International Companies For Relying on Invalidated EU-US Safe Harbor

by Practical Law Intellectual Property & Technology
Published on 07 Jun 2016USA (National/Federal)
The Data Protection Authority of Hamburg (DPA) announced that three international companies have been making illegal data transfers to the US pursuant to the now-invalid EU-US Safe Harbor Agreement. The DPA fined each company €11,000 or less.
On June 6, 2016, the Data Protection Authority of Hamburg (DPA) issued a press release announcing that it had reviewed the cross-border data transfers of 35 international companies and found that three had failed to establish alternate data transfer methods even after the European Court of Justice (ECJ) invalidated the EU-US Safe Harbor Agreement over six months ago. The companies were later identified as Adobe Systems, Inc., Punica, a subsidiary of PepsiCo Inc., and Unilever, N.V.
Although each company has since changed its practices, Adobe was fined €8,000, Punica €9,000, and Unilever €11,000. The DPA indicated that the fines levied were relatively low because the companies responded and had implemented a legal basis for their data transfers using standard contractual clauses (SCCs). The DPA also noted that many of the other companies investigated had already used SCCs to set up alternative legal arrangements for transferring data to the US.
This action by the DPA is notable because:
  • These companies were fined for not having switched to a currently valid alternative for cross-border data transfers. This matter serves as a wake-up call to US companies that have not implemented an alternative to Safe Harbor since its invalidation. Companies cannot simply wait for implementation of the new EU-US Privacy Shield Agreement, if it is fully approved by EU authorities.
  • Echoing concerns recently expressed by other EU data protection authorities, the Hamburg Data Protection Commissioner also indicated that while still valid, SCCs should be scrutinized for whether they sufficiently protect Europeans' data, leaving open the possibility that regulators will restrict their use as well.
  • In announcing the fines, the Commissioner also called for revisions to the EU-US Privacy Shield Agreement, based on issues raised by the Article 29 Working Party, a committee of EU member states' data protection authorities, and the European Data Protection Supervisor.