8 June 2016 – This past Monday, 6 June, the Hamburg Data Protection Commissioner issued fines against three international companies for failing to implement alternative data transfer mechanisms following the invalidation of Safe Harbor in October 2015.
The Hamburg Data Protection Commissioner investigated a total of 35 companies that had previously been transferring personal data to the U.S. pursuant to the Safe Harbor program. Although, the majority of these companies had put in place an alternative data transfer mechanism within 6 months of the CJEU ruling in Schremsthat invalidated the Safe Harbor, at least 3 companies allegedly failed to take action to replace their Safe Harbor reliance, and continued to transfer personal data to the U.S.
Adobe was fined 8,000 euros, Punica 9,000 euros and Unilever 11,000 euros for a total of 28,000 euros ($32,000) for failing to set up alternative legal channels for cross-border data transfers quickly enough.
It lowered the fines following the start of the proceedings after each company executed model contracts to ensure a legal standard was applied. However, the Hamburg Commissioner (Johannes Caspar), has stated that, “for future infringements, stricter measures have to be applied“ – clearly a wake-up call to all companies who have yet to establish a mechanism to replace their prior reliance on Safe Harbor, and in particular, those companies still subject to inspections from the Hamburg Data Protection Commissioner.
This decision compounds the uncertainty that currently surrounds the transfer of personal data from the EEA to the U.S. The draft EU-U.S. Privacy Shield documentation is still under consideration and has recently come under scrutiny from the Article 29 Working Party, the European Parliament and the European Data Protection Commissioner.
In addition, as we previously reported, the Irish Data Protection Commissioner announced, on 25 May 2016, that it would be initiating court proceedings to clarify the validity of Model Contracts. However, this decision by the Hamburg Data Protection Commissioner confirms that Model Contracts continue to be an appropriate and valid international data transfer solution, and the EU data protection authorities will, at least for now, view Model Contracts as a legitimate and key alternative in the wake of the Safe Harbor invalidation.