Transatlantic data transfer from the EU to the US has been under scrutiny since October 2015. In February 2016, the Hamburg data protection commissioner started administrative proceedings against several companies, alleging they were still transferring data based on Safe Harbor. On 6 June 2016 the commissioner imposed fines on three companies and gave a clear signal: Data export based on Safe Harbor is illegal and will not be tolerated any longer. Therefore, companies must implement other means of transfer, in particular standard contractual clauses.

The Safe Harbor decision and the ECJ’s ruling

The Safe Harbor decision of the EU Commission (Decision 2000/520) was an important basis for data transfer from EU member states to the US. On 6 October 2015, the European Court of Justice (ECJ) invalidated the Safe Harbor decision, rendering the majority of data transfers from the EU to the US illegal (Schrems, C-362/14).

Following the ruling, the Article 29 Working Party (WP29) of EU data protection commissioners announced that the data protection authorities would take all necessary action, including enforcement, if no appropriate solution were reached with the US authorities by the end of January 2016. As a result, many international companies with German subsidiaries based data transfer to the US no longer on Safe Harbor, but implemented EU Commission’s standard contractual clauses in order to continue such transfer.

The draft Privacy Shield decision and German enforcement action

The European Commission declared at the end of January that negotiations with the US government had been successful, and the US would implement the so-called “Privacy Shield”. Nevertheless, several German data protection authorities, amongst them the Hamburg DPA, did not wait for the EU Commission to issue a new “Safe Harbor II” or “Privacy Shield” decision, but started enforcement action by contacting companies in order to determine whether data transfer from Germany to the US was still based on Safe Harbor. Stating that such data transfer to the US was illegal, these DPAs began administrative proceedings. Data transfer based on standard contractual clauses remained unchallenged.

On 29 February 2016, the EU Commission published the draft Privacy Shield decision to start a discussion whether the Privacy Shield could guarantee an adequate level of data protection in the US. In its statement, WP29 criticized the Privacy Shield as a various set of documents lacking an overall clarity; some key data protection principles not being reflected in the draft adequacy decision, in particular the purpose limitation principle; and the Privacy Shield as insufficient protection against access by public authorities in the US.

Fines imposed on companies in Hamburg

At the moment, the EU Commission is discussing the adequacy decision with the Article 31 Working Party of member state representatives. However, on 6 June 2016 the Hamburg Data Protection Commissioner Prof. Johannes Caspar imposed fines on companies that had transferred data to the US based on Safe Harbor decision. According to the German magazine “Der Spiegel” an 8,000 Euro fine was imposed on the US software company, Adobe, a 9,000 Euro fine on Punica, a beverage producer, and 11,000 Euro on Unilever, a producer of consumer goods. The commissioner stressed that a grace period had been granted after the Schrems ruling, but these companies have continued to transfer data under the Safe Harbor decision after the grace period expired in February.

The maximum fine would have been 300,000 Euro, but according to the data protection commissioner these companies have amended their practice during the administrative proceedings and changed the means of transfer. Therefore, the imposed fines were much lower than the maximum. Nevertheless, the commissioner announced that companies still transferring personal data based on the Safe Harbor will face higher fines.

Impact on data processing in Germany

The administrative proceedings in Hamburg and the imposed fines show that data protection plays an important role in Germany. Eight months after the Schrems ruling and nearly 5 months after the grace period expired, companies should review data processing and immediately halt data transfer under Safe Harbor, but implement standard contractual clauses as means of data transfer. Standard contractual clauses are also under scrutiny, but are accepted by the data protection authorities.

Nevertheless, companies should not wait for the EU Commission to issue the Privacy Shield adequacy decision. This decision could come in June, but even according to the EU Commission the decision will be challenged in court, and there is only a 51 % chance that the ECJ will uphold it. In this light and given the uncertainty of the Privacy Shield’s future, international companies with subsidiaries in Germany and those dealing with their German counterparts should not rely exclusively on the Privacy Shield. It is advisable to implement standard contractual clauses as soon as possible, which are a far safer means for transferring personal data than the Privacy Shield.

Arnd Böken, Attorney at law
Berlin