German Privacy Regulator issues first fines for inadmissible transfers of data to the U.S.

On 6 June 2016, the Hamburg Data Protection Commissioner issued fines against three international companies for failing to implement alternative data transfer mechanisms following the invalidation of Safe Harbor in October 2015.

The Hamburg Data Protection Commissioner investigated a total of 35 companies that had previously been transferring personal data to the U.S. pursuant to the Safe Harbor program. Although, the majority of these companies had put in place an alternative data transfer mechanism within 6 months of the CJEU ruling in Schrems that invalidated the Safe Harbor, at least 3 companies allegedly failed to take action to replace their Safe Harbor reliance, and continued to transfer personal data to the U.S.

The fines issued were between 8,000 and 11,000 Euros, which we understand to have been lowered following the start of the proceedings after each company executed model contracts to ensure a legal standard was applied. However, the Hamburg Commissioner (Johannes Caspar), has stated that, “for future infringements, stricter measures have to be applied“. This should therefore be a wake-up call to all companies who have yet to establish a mechanism to replace their prior reliance on Safe Harbor, and in particular, those companies still subject to inspections from the Hamburg Data Protection Commissioner.

This decision compounds the uncertainty that currently surrounds the transfer of personal data from the EEA to the U.S. The draft EU-U.S. Privacy Shield documentation is still under consideration and has recently come under scrutiny from the Article 29 Working Party, the European Parliament and the European Data Protection Commissioner.  In addition, the Irish Data Protection Commissioner announced, on 25 May 2016, that it would be initiating court proceedings to clarify the validity of Model Contracts. However, this decision by the Hamburg Data Protection Commissioner confirms that Model Contracts continue to be an appropriate and valid international data transfer solution, and the EU data protection authorities will, at least for now, view Model Contracts as a legitimate and key alternative in the wake of the Safe Harbor invalidation.