In a recent press release, the Data Protection Authority of Hamburg ("Hamburg DPA") announced three final decisions regarding fines imposed on companies which unlawfully transferredpersonal information outside of the EU. The Hamburg DPA determined that after the invalidation of the former “U.S.-EU Safe Harbor Framework” by the European Court of Justice in October 2015, the companies had failed to otherwise adequately ensure the protection of employee and customer data transferred from Europe to the US.
The Hamburg DPA’s investigation discovered that although the majority of companies had implemented standard contractual clauses ("SCCs") on a timely basis in order to cover their data transfers to the U.S., some were transferring customer and employee personal data in violation of EU law. The three companies that were fined had been found to have unlawfully transferred data from Germany to the U.S. However, since they had transitioned to SCCs during the course of their respective proceedings, the fines were reduced significantly from the potential maximum of €300,000 to €8,000, €9,000 and €11,000, respectively.
The Hamburg DPA enforcement actions are the first enforcement actions made public against companies that did not adjust their EU-US data transfer compliance practice, and will probably not be the last. Companies should also anticipate enforcement actions for non-compliance from other European DPAs.