The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic data transfers in the wake of the October 2015 Safe Harbor decision. On June 6, the Hamburg DPA announced that it had fined three companies for unlawful transfers of personal data from the EU to the United States. According to the press release, over the past few months the Hamburg DPA has reviewed the data transfers of 35 multinational organizations to verify compliance with European data protection laws. The Court of Justice of the European Union’s decision invalidating the Safe Harbor framework expressly empowered European DPAs to undertake such reviews, but did not invalidate alternative data transfer methods such as standard contractual clauses (SCCs) and binding corporate rules (BCRs).
The Hamburg DPA’s investigation revealed that, although the majority of companies had timely implemented SCCs to cover their data transfers to the U.S., some were transferring customer and employee personal data in violation of EU law. The three companies that have been fined (€8,000, €9,000 and €11,000, respectively) were found to have unlawfully transferred data from Germany to the U.S., but because they moved to SCCs during the course of their respective proceedings, the fines were reduced significantly from the potential maximum of €300,000. The Hamburg DPA has indicated that additional proceedings involving other organizations are ongoing. In an interview published in Spiegel Online, Hamburg Data Protection Commissioner Dr. Johannes Caspar noted that unlawful data transfers may be penalized more harshly in the future. He has also echoed the Irish Data Protection Commissioner’s intention to begin examining the legality of the use of SCCs for transfers of EU personal data.
The Hamburg DPA’s announcement is unsurprising to those who have been following the Safe Harbor saga – it reflects a general Teutonic wariness of cross-Atlantic data transfers that has only increased since the Safe Harbor decision. In October 2015, another German DPA published a position paper warning of fines of up to €300,000 for unlawful personal data transfers. Also in October, a group of German DPAs issued a 14-point position paper questioning the validity of BCRs and SCCs, halting the issuance of any new BCR authorizations, and announcing their intent to exercise auditing power over SCCs.
With the future of the proposed Privacy Shield uncertain, the continued validity of alternative data transfer mechanisms is of great concern to companies seeking lawful solutions. We will continue to monitor and report on developments in this space.