Safe Harbor Judgment - Hamburg Data Protection Authority Imposes Initial Fines Concerning Data Transfers to the USA
1. The Safe Harbor judgment of the ECJ dated October 6, 2015 (legal matter C-362/14) makes it clear that European companies can no longer simply transfer personal data to the USA as a "non-secure third country". Following the judgment, there has been major uncertainty in companies concerning how they are required to treat personal data in the context of their daily business dealings with the USA.
2. In the meantime, the European Commission has negotiated the Privacy Shield agreement with the USA, which is intended to replace the Safe Harbor agreement as legally conform successor ruling. Nevertheless, it remains unclear whether this new agreement satisfies the strict requirements of the ECJ in terms of data protection. Even the European Commission is indicating that there is still a need for significant improvements.
3. (Most) German data protection authorities are of the opinion that the transfer of data to the USA is currently still possible, but only if the companies concerned use the standard EU model contract clauses or binding corporate rules (BCR) for this. In the event of non-application of these clauses or BCR, the authorities will assume sanctionable violations of data protection laws.
4. The Hamburg data protection authority has now followed this up with action, and has actually imposed fines in three specific cases. On this occasion these were relatively low at up to € 11,000.00, in particular as the companies concerned changed their data transfer immediately when proceedings were started. As regards future proceedings however, the possibility must be reckoned with of greater use being made of the current fine spectrum of up to € 300,000.00 following expiry of the changeover phase. Following the coming into force of the EU General Data Protection Regulation on May 24, 2016 and expiry of the 2-year transition period on May 25, 2018, fines of up to 4% of the total sales of a group of companies will then be payable.
5. Companies should therefore check their practice regarding data transfers to third-party companies - and in particular abroad - now, and change this if necessary. The possibility must be reckoned with of other State data protection authorities intensifying their prosecution policies in addition to the Hamburg data protection authority.