On June 6, 2016, the Data Protection Commissioner for Hamburg, Germany, announced fines against three US companies for unlawful transfers of employee and customer data from the EU to the US. This action by the Hamburg Commissioner is the most significant enforcement action to date for non-compliance with current law.

These fines occurred in the wake of the October 2015 decision by the Court of Justice of the European Union (CJEU), which invalidated the US-EU Safe Harbor Framework as a means for lawfully transferring personal data from the EU to the US. (Previously, certain US companies and other persons could lawfully transfer Europeans’ personal data to the US by certifying their compliance with the Safe Harbor Framework.) The CJEU’s decision created significant uncertainty for data transfers from the EU to the US, as many companies rushed to implement alternate means of lawfully transferring data. European data protection authorities provided a three months grace period following the decision, which expired at the end of January 2016.

Key Takeaways:

  • Possibility of future inspections and actions. These fines result from inspections of 35 international companies based in Hamburg, with some inspections ongoing. Additional inspections will presumably follow from the Hamburg Commissioner and/or other European data protection authorities. The Hamburg Commissioner suggested that “stricter measures” would be appropriate for future non-compliance.
  • Questioning the Standard Contractual Clauses. As noted by the Commissioner, many companies have implemented the Standard Contractual Clauses to ensure lawful transfers of personal data from the EU to the US. For the purpose of this round of inspections, the Standard Contractual Clauses were found to be an acceptable alternative to Safe Harbor. However, doubts have been raised about the Clauses’ adequacy. Although the Hamburg Commissioner did not object to the use of the Standard Contractual Clauses, he did call for scrutiny of the Clauses, and the Data Protection Commissioner of Ireland announced in May that it will seek legal review of the Standard Contractual Clauses by the Irish High Court and the CJEU.
  • Need for a Privacy Shield. These fines are likely to increase pressure on US and EU agencies seeking an acceptable replacement for Safe Harbor. In February, the US Department of Commerce and the European Commission proposed the new EU-U.S. Privacy Shield Framework to replace Safe Harbor. The Article 29 Data Protection Working Party, which includes the heads of EU data protection authorities, has since expressed some concerns that the Privacy Shield remains inadequate and the new framework is now awaiting approval by EU member state representatives.
  • Know your data transfers. The fines against US companies by the German Data Protection Commissioner demonstrates how important it is for companies to review and understand the legal basis for international transfers of their employees’ or customers’ data. And this is not limited to EU-US transfers; countries in Asia and Latin America, for example, have enacted similar legislation that may limit cross-border data transfers.