Posted in Enforcement, International Privacy Law
The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic
data transfers in the wake of the October 2015 Safe Harbor decision. On June 6, the Hamburg
DPA announced that it had fined three
companies for unlawful transfers of personal data from the EU to the United
States. According to the press release, over the past few months the
Hamburg DPA has reviewed the data transfers of 35 multinational organizations
to verify compliance with European data protection laws. The Court of
Justice of the European Union’s decision invalidating the Safe Harbor framework
expressly empowered European DPAs to undertake such reviews, but did not
invalidate alternative data transfer methods such as standard contractual clauses (SCCs) and binding corporate
rules (BCRs).
The Hamburg DPA’s investigation revealed that, although the majority of
companies had timely implemented SCCs to cover their data transfers to the
U.S., some were transferring customer and employee personal data in violation
of EU law. The three companies that have been fined (€8,000, €9,000
and €11,000, respectively) were found to have unlawfully transferred data
from Germany to the U.S., but because they moved to SCCs during the course of
their respective proceedings, the fines were reduced significantly from the
potential maximum of €300,000. The Hamburg DPA has indicated that
additional proceedings involving other organizations are ongoing. In an interview published in Spiegel Online, Hamburg Data Protection
Commissioner Dr. Johannes Caspar noted that unlawful data transfers may be
penalized more harshly in the future. He has also echoed the Irish Data
Protection Commissioner’s intention to begin examining the
legality of the use of SCCs for transfers of EU personal data.
The Hamburg DPA’s announcement is unsurprising to those who have been
following the Safe Harbor saga – it reflects a general Teutonic wariness of
cross-Atlantic data transfers that has only increased since the Safe Harbor
decision. In October 2015, another German DPA published aposition paper warning of fines of up
to €300,000 for unlawful personal data transfers. Also in October, a
group of German DPAs issued a 14-point position paper questioning the validity
of BCRs and SCCs, halting the issuance of any new BCR authorizations, and
announcing their intent to exercise auditing power over SCCs.
With the future of the proposed Privacy Shield uncertain, the continued validity of
alternative data transfer mechanisms is of great concern to companies seeking
lawful solutions. We will continue to monitor and report on developments
in this space.
No comments:
Post a Comment