Germany - Fines for unlawful EU-US transfer issued by German DPA following invalidation of Safe Harbor
Published 6 June 2016
On 6 June 2016 the Data Protection Authority of Hamburg (the “DPA”) announced that, following a review of 35 international organisations based in Hamburg, it fined 3 companies for unlawful transfers of personal data from the EU to the United States.
The 3 companies in question are Adobe – fined EUR 8,000, Punica – fined EUR 9,000 and Unilever – fined EUR 11,000. Whilst the fines could have been anything up to EUR 300,000, it is believed that these companies faced lower fines because they transitioned their business practices during the review period and implemented EU standard contractual clauses or "Model Clauses", which were found to be an acceptable alternative to Safe Harbour. Although organisations should note that, in common with the Irish data protection authority, the DPA has called for further scrutiny and review of Model Clauses as a basis for EU-US transfer.
The DPA has indicated that proceedings involving other organisations are on-going and it seems that the DPA will penalise unlawful transfers more harshly in the future.
The DPA’s approach has not come as a surprise for those who have been following the developments around Safe Harbour and Germany’s promise to audit cross-Atlantic data transfers following the Schrems decision in October 2015 by the Court of Justice of the European Union which invalidated the EU-US Safe Harbour framework, however, these fines place even greater emphasis on the importance of putting in place alternative mechanisms for the transfer of personal data from the EU to the US.
Organisations should ensure that they have reviewed all of their data processing activities which entail a transfer of data out of the EU to the US and that an adequate protection measure is in place for that transfer, the best of which is currently Model Clauses.
To read the DPA’s press release, please click here (German).