One of Germany’s state data protection authorities, the Hamburg Data Protection Authority (“DPA”), has announced that it will impose fines on companies which are still relying on the Safe Harbor Scheme.

On 6 October 2015, the European Court of Justice (“ECJ”) declared the Safe Harbor Scheme invalid. In the aftermath, the European DPAs set a grace period until 31 January 2016 which allowed firms to rely on the Safe Harbor Scheme as a legal basis for data transfer.

This grace period has now expired. “I did not expect international companies to continue data transfers to the U.S. relying on the Safe Harbor Agreement as a legal basis” said Johannes Caspar, head of the Hamburg DPA.

After expiration of the grace period, the Hamburg DPA has initiated administrative proceedings against companies that were unable to provide alternative safeguards, such as EU-Model Clauses or Binding Corporate Rules (“BCRs”).

Currently, the Hamburg DPA is preparing to commence proceedings against three large international companies. The DPA has not released the names of the companies yet, but it has revealed that two additional companies are also under investigation.

The proceedings may lead to fines of up to 300.000 EUR per breach.

Several German DPAs have expressed serious doubts that the EU-Model Clauses and BCRs meet the requirements of the ECJ decision, including the Hamburg DPA. Also it has been officially announced by all German DPAs that transfers based on EU- Model Clauses and BCRs will be reviewed in detail, in particular, in case of complaints by data subjects. However, most German DPAs indicated informally that they will accept these alternative measures as long as the Article 29 Working Party has not decided otherwise in a formal statement. Consequently, in general, companies can currently rely on EU-Model Clauses and BCRs as a valid legal bases.

On 2 February 2016, the U.S. and the EU reached an agreement on the key principles of the future transatlantic data transfer (EU-US-Privacy Shield) which imposes stronger obligations on companies in the U.S. to protect European’s personal data. It also provides for stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including increased cooperation with European Data Protection Authorities. This agreement will replace the Safe Harbor Agreement and is currently being reviewed by Europe’s data protection regulators. The Article 29 Working Party has stated that no actions need to be taken until it has been determined that the agreement satisfies the privacy concerns.

We will keep you posted about future developments.