A German data protection regulator reportedly fined 3 companies—Adobe Systems, Punica, and Unilever—a total of 28,000 euros ($32,000) for continuing to rely on the Safe Harbor framework and failing to set up alternative legal channels for cross-border data transfers quickly enough, following Safe Harbor’s demise in October of last year. Adobe was fined 8,000 euros, Punica 9,000 euros, and Unilever 11,000 euros.

Hamburg Commissioner for Data Protection, Johannes Caspar, stated that, “The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favourable way for the calculation of the fines.”

Organizations that need to transfer personal data from the EU to the US  have relied on the Safe Harbour framework for 15 years, which allowed them to store data about EU citizens on US servers, by certifying that they complied with EU data protection standards.

The EU's 28 data protection authorities had given organizations a three-month grace period to find an alternative mechanism for brining their EU-US data transfers in line with EU law. The 3 companies that were fined missed the grace period.

Until now, the regulatory landscape remains uncertain and  many organizations are still grappling with how to legally transfer EU citizens’ personal data from the EU to the US. Some are considering SCCs and BCRs, while others are hopeful that the EU and the US will come up with a framework to replace Safe Harbor. The Article 29 Working Party’s and the EDPS’ recent critiques over the Privacy Shield’s inadequacy as a data transfer mechanism have only narrowed organizations’ legal choices.