The Safe Harbor provision has finally set sail. On Monday, the Hamburg Data Protection Authority (“Hamburg DPA”) announced that it has fined three companies an aggregate total of €28,000 ($31,928) for continuing to operate under the U.S.-E.U. Safe Harbor Framework. This is the first enforcement action by any European country since the European Court of Justice (“CJEU”) invalidated the Safe Harbor last October.

Prior to the decision, the Safe Harbor regulated the transatlantic exchanges of personal data for commercial purposes. Businesses like Google, Facebook, and Apple were legally permitted to transmit their European subscribers’ personal data to the United States as long as they self-certified under the agreement.

But because the CJEU found the Safe Harbor failed to provide an adequate level of protection for EU citizens’ personal data, businesses have had to consider a number of approaches to minimize compliance and enforcement risks. 

In response to the CJEU’s decision, the European Commission and the Obama Administration feverishly worked to craft a new data-protection framework—the Privacy Shield. The Privacy Shield seeks to address issues related to consumer privacy and government surveillance while providing an adequate level of protection for EU citizens’ personal data.

However, since the release of the Privacy Shield proposal, the European Data Protection Supervisor, the European Parliament, a coalition of U.S. and EU consumer organizations, and the Article 29 Working Party have opposed the proposal, thus raising doubts about its implementation.  

Since the CJEU decision, many companies have been clinging to their Safe Harbor certifications in the hope that an enforcement “détente” of sorts might hold off any European enforcement action until a replacement (such as Privacy Shield) can be enacted.  Some European DPAs have indicated as much, but others have warned that they would continue to enforce their national laws. 

The Hamburg DPA’s recent actions signal that there were teeth to that warning and that companies continue to adhere to Safe Harbor at their peril. 

Of some solace, perhaps, is the comment of Hamburg Data Commissioner Johannes Caspar that the Hamburg DPA took into consideration the companies’ efforts to change their policies in mitigating the amount of the fines imposed.

Continued Regulatory Uncertainty

As the regulatory landscape remains uncertain, businesses transferring data from the European Union to the United States have options to consider moving forward. For example, one option includes putting model contracts in place to cover any data transfer or access gaps you feel your business may have. And the European Commission has generally backed this method by releasing guidance on model contracts. But model contracts may not be a sufficient option for much longer as they arguably suffer from the same defects that triggered the CJEU’s rejection of the Safe Harbor.  Moreover, the Irish Data Protection Agency has referred model contract clauses to the Irish High Court for referral on to the CJEU.

Ultimately, it seems as though the future of transatlantic data transfer, at least in the near term, remains unclear – the worst possible outcome for multinational businesses.

Edward George, Summer Associate; Georgetown University Law Center (J.D. expected 2017)