On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica and Unilever, in the amounts of 8,000, 9,000 and 11,000 Euro, respectively.
Since the invalidation of the Safe Harbor framework by the Court of Justice of the European Union (“CJEU”) in October 2015, German DPAs have taken an active role in questioning cross-border data transfer mechanisms, including the validity of the Standard Contractual Clauses and the Binding Corporate Rules, neither of which the CJEU addressed in the Safe Harbor Schrems decision. As part of this effort, the Hamburg DPA made inquiries of 38 global companies that had previously relied on the Safe Harbor framework and have operations in Hamburg to determine whether the companies had updated their cross-border data transfer practices to reflect the invalidation of Safe Harbor. This inquiry has, in turn, resulted in the enforcement action against the three companies.
The Hamburg DPA asserted in its press release that the three companies were unlawfully transferring data from the EU to the US because they continued to rely on the invalidated Safe Harbor framework to transfer employee and customer personal data. While substantially larger fines were possible, the DPA explained that the penalties were reduced because each company eventually implemented a legally valid cross-border data transfer mechanism.
First, in the short term, we can expect the Hamburg DPA to take further action on cross-border data transfer enforcement, and to seek to impose higher fines. In announcing the current action, Caspar warned that “[f]or future infringements, stricter measures have to be applied.”
Second, in the longer term, the willingness of the Hamburg DPA to “go rogue” by enforcing cross-border transfer requirements in this period of uncertainty – while the stakeholders seek to come to an agreement on the EU-US Privacy Shield – may spell trouble for global companies as they try to navigate a legal regime that currently lacks clarity. With Standard Contractual Clauses being called into question in a new case pending before the CJEU, we may be approaching a period when there will be few, if any, practical compliance mechanisms for transferring personal data from the EU to the US (or other countries that are not deemed “adequate”). What that time may look like is something few privacy professionals want to contemplate.
If the EU and US fail to agree on a reasonable regime for cross-border data transfer, it is not beyond the realm of possibilities that the dispute will make its way to the WTO. Notably, there has been a visible effort in the US recently to leverage research and facts to debunk the view that, as a practical matter, the EU offers stronger privacy protections than the US, in either the commercial or government space. A key implication of this emerging body of work is that Europe’s denial of the “adequacy“ status to the US, and the resulting restrictions the EU imposes on cross-border data transfer of personal data to the US, may not be justified by concerns for individuals’ privacy. It is not beyond the realm of possibilities that these arguments will be aired before a WTO panel if the current Privacy Shield process dead-ends.
* Summer Associate Alex M. Podobas contributed to this post.