In October 2015, the European Court of Justice invalidated a safe harbor for the transfer of personal data from the European Union to the U.S. Now, EU-based companies can no longer rely on the fact that a U.S.-based company has self-certified its adherence to the "Safe Harbor Principles" with the U.S. Department of Commerce as a means to demonstrate that the U.S. company provides an adequate level of privacy protection as required by the data protection laws of EU member states.

On June 6, the Hamburg commissioner for data protection and freedom of information announced that he had fined three multinational companies with operations in Hamburg a total of 28,000 euros ($32,000) for failing to establish alternative legal channels for cross-border data transfers quickly enough to replace the invalidated EU-U.S. safe harbor.

Background

The national laws of EU member states that aim to protect personal data prohibit the transfer of personal data from the EU to another jurisdiction unless the receiving jurisdiction provides "adequate" protection of personal data and sufficient privacy rights in the eyes of EU authorities. The U.S is among the countries that are deemed by the EU not to provide adequate protection.

To address the need of many businesses to transfer data from the EU to the U.S., in 2000, the European Commission and the United States agreed on Safe Harbor Principles. The safe harbor program, which embodied these principles, provided a cost-effective means for companies to voluntarily commit to a certain level of data protection in order to legally transfer personal data from the EU to the United States. Companies only had to have in place a program that meets requirements of the program, and to self-certify their compliance with the Safe Harbor Principles with the U.S. Department of Commerce.

In a groundbreaking judgment published on Oct. 6, 2015, the European Court of Justice (CJEU) ruled among other things that the safe harbor program was invalid. Since that date, the EU and the U.S. Department of Commerce have attempted to define a suitable replacement regime. See Maximilliam Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650. In early February 2016, they agreed in principle to the creation of an EU-U.S. "Privacy Shield," which generally encompasses concepts and principles similar to those of the invalidated safe harbor, but provides greater rights and stronger protections for EU residents. At the end of February, a 161-page document defining in greater detail the terms of the proposed Privacy Shield agreement was jointly published. Unfortunately, the Privacy Shield has faced strong opposition from the Article 29 Working Party (which is comprised of all the data protection commissioners from the EU member states), the EU data protection supervisor and others. As a consequence, there is no replacement for the invalidated safe harbor program at this time. 

Response to the Safe Harbor Invalidation

The October 2015 decision of the CJEU has had a significant impact on the large number of companies that relied on the safe harbor to comply with EU law regarding their EU-to-U.S. data transfers. After the news of the invalidation, many companies established alternative mechanisms accepted by the EU authorities for legally transferring data from the EU to the U.S. The most commonly implemented option has been the use of model contracts incorporating standard contractual clauses (SCCs) whose non-negotiable terms were pre-approved by the European Commission.

The SCCs provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals. They provide a legal basis for enabling the transfer of personal data from the EU to countries with legal regimes that do not meet the required EU data protection standards. For some companies, the implementation of the data transfer agreements that incorporate the SCCs is still an ongoing task. This is the case for a variety of reasons, including, for example, that certain relationships between the EU- and U.S.-based companies might not fit easily within the SCCs framework or may rely on layers of service providers, which delays signature of the complete series of required documents. Outside of the use of SCCs, other alternative legal arrangements include binding corporate rules and obtaining the valid consent of the data subject for the transfer.

First Enforcement Action and Fines in Germany

While there have been rumors that certain EU data protection authorities were becoming impatient with the slow implementation of a replacement for the invalidated Safe Harbor framework by companies, the enforcement action conducted by the Hamburg commissioner is the first published decision resulting in fines. The three companies were fined 8,000, 9,000 and 11,000 euros for failing to establish alternative legal channels for cross-border data transfers quickly enough to replace the invalidated EU-U.S. safe harbor.

The three companies have not put alternative legal mechanisms in place for the transfer of data to the United States. In this regard, the Hamburg commissioner noted "[t]he fact that the companies have eventually implemented a legal basis for the transfer had been taken into account in a favorable way for the calculation of the fines." However, he also warned that stricter measures have to be applied to future infringements.

The German press release further stated the fines resulted from a series of inspections the German regulator conducted on 35 internationally active Hamburg-based companies. Most of the companies inspected had already set up alternative legal arrangements to transfer data to the U.S., such as the use of SCCs. However, the Hamburg commissioner warned that SCCs should also be scrutinized to decide if they provide sufficient protection to EU personal data when it is transferred to the U.S.

The enforcement by the Hamburg commissioner is the first high-profile set of cases where companies have been fined for continuing to rely on the invalidated safe harbor to transfer personal data between the EU and the U.S.

The news of this enforcement action is an important reminder that U.S. and EU-based companies need to accelerate and complete efforts to identify and finalize the proper legal structure to replace their reliance on the safe harbor as a legal basis for their transfer of personal data across the Atlantic.

"Originally published in the Los Angeles/San Francisco Daily Journal, June, 22, 2016. Copyright 2016 Daily Journal Corporation, reprinted with permission."