Following the CJEU's judgment of October 2015 invalidating the European Commission's Safe Harbor Decision, the Data Protection Authority Hamburg (“DPA Hamburg“) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg of 6 June 2016, these investigations revealed that the majority of the companies under investigation had used the six months grace period, as set by the Article 29 Working Party, to change their practices to be based on standard contractual clauses. However, according to DPA Hamburg, some companies under investigation have failed to implement alternative measures in order to legitimize data transfers to the United States. Consequently, DPA Hamburg determined that data transfers by those companies lack a sufficient legal basis and are, therefore, illegal.

Whereas some of the proceedings are still pending, three penalty notices issued by DPA Hamburg have in the meantime become binding. Notably, the affected companies have, once under investigation, also implemented standard contract clauses. Johannes Caspar, the Hamburg Data Protection Commissioner, said that, when calculating the fines, DPA Hamburg took into account that the companies fined have in the meantime changed their practices and now have standard contractual clauses in place. However, he also emphasized that future violations might result in even higher fines. According to press articles, DPA Hamburg imposed fines in the range between EUR 8,000 and EUR 11,000. The German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) provides for fines of up to EUR 300,000 for each breach.

The investigations of DPA Hamburg demonstrate that German DPAs are keen to investigate and fine companies which have failed to take appropriate measures following the invalidation of Safe Harbor in October 2015. Companies are called on to ensure that there is a solid legal basis for data transfers to the United States in place. For the time being, the implementation of standard contract clauses appears to be the most suitable replacement for Safe Harbor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.