Budapest, 12 February 2016 - Multinationals are now facing significant challenges due to changes in the data transfer mechanisms between the European Union and the United States and the provisions of the new General Data Protection Regulation of the European Union. The Regulation is expected to enter into force within two years. Companies violating data protection obligations may expect fines up to 4% of their global net turnover.

The Hungarian authority will likely issue significantly higher data protection fines once the new General Data Protection Regulation enters into force, said Dr. Attila Péterfalvi, the chairman of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), in his keynote speech at a data protection conference jointly organized by the Hungary Chapter of the Association of Corporate Counsels Europe and Baker & McKenzie in Budapest. NAIH’s 2016 enforcement priorities will focus on the content of the prior notification to data subjects and on anonymous job advertisements. NAIH plans to release guidance on phone call recording by customer services providers and on camera surveillance in public places.

More than four months have passed since the decision annulling the Safe Harbor agreement. The European data protection authorities set a 31 January 2016 deadline for the filing of a solution to the cross-border data flows between the EU and the U.S. On 2 February 2016 a political agreement was reached about the EU-US Privacy Shield.  Dr. Péterfalvi said that the European data protection authorities still have not received any factual information about the content and details of that arrangement. Dr. Péterfalvi indicated that the EU data protection authorities, through the Article 29 Working Party, expect follow-up information from the European Commission until the end of February; then, they will examine the compliance of the remaining data transfer mechanisms in light of the commitments made by the United States. If those commitments are deemed to be inadequate, Dr. Péterfalvi stated that the use of alternative data transfer mechanisms such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses could become questionable.

"It is still unclear whether the European Union and US will be able to create a data transfer mechanism that has solid legal foundations" said Dr. Ádám Liber, data privacy attorney with Baker & McKenzie in Budapest, speaking at that conference. Until Article 29 Working Party comments on the adequacy of Privacy Shield and the adequacy of the United States’ commitments, data controllers can rely on the Standard Contractual Clauses and BCRs approved by EU data protection authorities when transmitting personal data to the US. Also, when concluding new data processing agreements, parties should already take account of the new Regulation’s provisions, which specify the detailed content of such agreements. The Regulation is expected to enter into force in mid 2018. The changes in legislation and the possibility that fines for failing to comply with data protection obligations could reach 4% of global turnover will require a new risk assessment and compliance management approach to data privacy issues. This two year period seems a rather short one within which to adapt to the new data protection rules.  We suggest that companies set a rigorous timetable for that adaptation process.