In a widely discussed decision in October 2015, the CJEU declared the Safe Harbor Agreement to be invalid (we reported), thus eliminating a key pillar for lawful data transfer to US companies. Within several months of implementation time, companies were therefore required to base their US data transfer on another pillar, in particular Standard Contractual Clauses.

Following this implementation period, among others the Hamburg Data Protection Supervisor reviewed the due conversion of data transfers to the US as of February 2016. In connection with this examination, fines of EUR 8,000, EUR 9,000, and EUR 11,000 Euro were imposed on three companies recently. The Hamburg Data Protection Supervisor emphasized that the fact that the companies eventually implemented a legal basis for the data transfer to the US had to be taken into account in a favorable way for calculating the fines in the current summary proceedings. Companies that have not yet converted their data transfer to the Standard Contractual Clauses are likely to see much higher fines. In theory, fines of up to a maximum of EUR 300,000 are possible.

In addition, companies should closely monitor future developments in the area of US data transfer. Currently, the European Commission and the US government are negotiating a successor agreement, the EU-US Privacy Shield, which is to guarantee an adequate level of data protection in the future. After the first release of the draft text, however, the Article 29 Working Party as well as the Article 31 Committee, the European Data Protection Supervisor, and the national Data Protection Conference called for significant changes.

In addition, the Irish data protection authority has warned that the "model contract clauses" should also be settled at the CJEU.

Practical tip: Companies need to closely watch the developments in the area of US data transfers, in order to take necessary steps in due time. This is the only way to avoid high fines.