A German regulator on June 6, 2016 announced in a press release that it had fined three subsidiaries of U.S.-based global companies for unlawfully transferring data to the States. The Hamburg data protection authority (DPA) fined consumer goods group Unilever 11,000 euros ($12,505), software company Adobe Systems Inc. 8,000 euros ($9,094), and fruit juice maker Punica, a PepsiCo subsidiary, 9,000 euros ($10,220) for failing to properly ensure the privacy for employee and customer data transferred to the United States.
Hamburg Data Commissioner Johannes Caspar said the DPA investigated the data transfer practices of 35 international companies based in Hamburg and found that some companies had not switched to a valid alternative after the grace period set by the European Court of Justice following its Schrems judgment invalidating the Safe Harbor Agreement. After the expiration of the grace period on January 31, 2016, the DPA initiated administrative proceedings against those companies committing unlawful transfers.
Each company faced a potential fine of up to 300,000 euros. Commissioner Caspar said that the companies changed their policies during the fine proceedings, and the DPA considered these changes when issuing the fine levels. Commissioner Caspar also reported that the DPA continues open administrative fine proceedings against two companies, and in another case, the DPA recently delivered the penalty notice.
In October 2015 the European Court of Justice invalidated the U.S.-EU Safe Harbor framework on which U.S. and EU companies relied to conduct transatlantic data transfers. Earlier this year, negotiators approved the EU-U.S. Privacy Shield agreement to replace the Safe Harbor program. But the replacement framework has been criticized by various parties as inadequate to protect EU citizens' personal data from U.S. government surveillance.
Without an approved data transfer pact and the uncertain future of the EU-U.S. Privacy Shield, companies seeking to lawfully transfer personal data out of Europe should not do so without taking further steps. Simply waiting for a Safe Harbor replacement is an increasingly risky approach, as other German DPAs have investigated international companies and enforcement practices vary significantly around Europe. If your organization processes personal data of EU citizens, including employee and consumer data, your organization should be aware that it could be subject to an investigation by any European data protection authority.
With alternative solutions available, such as EU Model Clauses, it is advisable that your organization consults with experienced legal counsel to draft and assist with the implementation of EU Model Clauses. Alternatively, your organization may implement binding corporate rules. Although time-consuming and costly, binding corporate rules may be the most advisable solution since the Irish DPA plans to refer a case to the ECJ to determine the validity of the EU Model Clauses in light of the Schrems decision. Additionally, your organization may adopt other solutions such as anonymizing data before transfer, implementing strong encryption techniques, or obtaining explicit, informed consent from EU citizens prior to cross-border transfer. It is also important to have a documented narrative to share with regulators about data security and transfer protocol in the event that regulators seek to examine your organization’s data transfer practices. Finally, your organization should begin the process of complying with the EU General Data Protection Regulation, following steps outlined here.