Last week, the Hamburg Data Protection Commissioner Johannes Caspar announced three enforcement actions against (unnamed) subsidiaries of U.S. companies for non-compliance with valid data transfer mechanisms. After the Schrems decision in the European Court of Justice in October 2015 that invalidated US-EU Safe Harbor as a valid data transfer mechanism from the EU to the U.S., the EU Data Protection Authorities (DPA) (through the Article 29 Working Party) announced a grace period to allow companies to get into compliance with other data transfer mechanisms (Model Contracts, Binding Corporate Rules). This grace period has ended and the Privacy Shield announcement did not change this fact.

The Hamburg enforcement actions are the first enforcement actions against U.S. companies that did not update their data transfer compliance, but they certainly will not be the last. Companies should anticipate enforcement actions for non-compliance from other DPAs. In fact, it is likely that there are other data protection enforcement actions that have not yet been announced. Spain, France, and other German state-level DPAs have been particularly vocal about investigating data transfer non compliance. There has been some concern among DPAs that they might lose their credibility if there was no enforcement after all the public statements and grace period.

Although the targeted companies were not named in the Hamburg decisions, it is expected that there had been several exchanges between the companies and Commissioner Caspar prior to the decision to bring enforcement actions.

Stefan Alich