The Data Protection Authority ("DPA") of Hamburg, one of 16 German State DPAs, has issued fines against three companies for failing to implement alternative data transfer mechanisms following the invalidation of the European Commission Safe Harbor adequacy decision in October 2015. The fines range from EUR 8,000 to EUR 11,000 for each company.
This is the most high-profile example of a DPA taking action against companies for continuing to transfer personal data from Europe to the U.S. on the basis of the Safe Harbor framework. The Hamburg DPA might well issue further fines against other companies which are still subject to investigations. Other German DPAs might also follow Hamburg’s example.
35 Hamburg-based Companies Investigated
Since the invalidation of the Safe Harbor adequacy decision, the Hamburg DPA has investigated the data transfer methods of about 35 internationally active, Hamburg-based companies that used to rely on Safe Harbor for transferring personal data to the U.S.
According to the Hamburg DPA, the inspections have shown that the vast majority of companies had already put in place alternative transfer mechanisms, namely Standard Contractual Clauses. Not so the companies that were fined.
The Level Of Fines
German DPAs may impose fines of up to EUR 300,000 for unlawful data transfers. In practice, DPAs take into account various factors when determining the amount of a fine, including whether a violation was intentional or negligent, whether it is the first or a repeated violation, and how quickly any non-compliance is rectified.
Apparently, the Hamburg DPA imposed rather low fines in these instances because the companies in question promptly implemented Standard Contractual Clauses after having been informed they were in breach. However, the Commissioner has stated that "for future infringements, stricter measures have to be applied“. Click here for the English press release.
Standard Contractual Clauses Currently Still Stand
Despite the fact that the Irish DPA, on May 25th, 2016, has announced that it would be initiating court proceedings to clarify the validity of Standard Contractual Clauses before the European Court of Justice, the Hamburg DPA highlighted that Standard Contractual Clauses are still a valid transfer mechanism for the time being.
Given the increased focus of DPAs on this area, companies are well advised to ensure they have robust mechanisms in place to legitimise international transfers of EU data.