The Hamburg Data Protection Agency (DPA) recently fined three companies for not having appropriate replacements for the Safe Harbor in place after the expiration of the permitted grace period. While the amounts of these fines are not particularly concerning, the precedent and potential for future, more burdensome fines is significant.
As we discussed in a previous post, in the landmark case Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) ruled that the Safe Harbor program (which had dictated the conditions of the transfer of personal data from the European Union to the United States since 2000) is invalid. The European DPAs granted companies a transitory period to migrate from the Safe Harbor to other legal tools for their international data transfers, in particular by implementing Binding Corporate Rules (BCRs) or the Model Contractual Clauses. This transitory period expired in February. Since that time, some proactive DPAs, including the Hamburg DPA in Germany, have launched their own inquiries to ensure that the companies under their jurisdiction are in compliance.
The Hamburg DPA’s investigation focused on 35 companies and found significant shortcomings in its subjects. The fines imposed by the DPA on the three companies totaled 28,000 euros (US $32,000). In addition, the Hamburg DPA announced that further investigations remain pending.
It’s worth noting that the DPA acknowledged that the fact that these companies had eventually implemented alternative, compliant means for data transfers into the United States played in the companies’ favor when considering the amount of each fine. That said, the DPA explained that more severe enforcement measures will be applied to future violations.