On June 6, 2016, the Data Protection Commissioner for Hamburg,
Germany, announced fines against three US companies for unlawful
transfers of employee and customer data from the EU to the US. This
action by the Hamburg Commissioner is the most significant
enforcement action to date for non-compliance with current law.
These fines occurred in the wake of the October 2015 decision by
the Court of Justice of the European Union (CJEU), which
invalidated the US-EU Safe Harbor Framework as a means for lawfully
transferring personal data from the EU to the US. (Previously,
certain US companies and other persons could lawfully transfer
Europeans' personal data to the US by certifying their
compliance with the Safe Harbor Framework.) The CJEU's decision
created significant uncertainty for data transfers from the EU to
the US, as many companies rushed to implement alternate means of
lawfully transferring data. European data protection authorities
provided a three months grace period following the decision, which
expired at the end of January 2016.
Possibility of future inspections and actions. These
fines result from inspections of 35 international companies based
in Hamburg, with some inspections ongoing. Additional inspections
will presumably follow from the Hamburg Commissioner and/or other
European data protection authorities. The Hamburg Commissioner
suggested that "stricter measures" would be appropriate
for future non-compliance.
Questioning the Standard Contractual Clauses. As noted
by the Commissioner, many companies have implemented the Standard
Contractual Clauses to ensure lawful transfers of personal data
from the EU to the US. For the purpose of this round of
inspections, the Standard Contractual Clauses were found to be an
acceptable alternative to Safe Harbor. However, doubts have been
raised about the Clauses' adequacy. Although the Hamburg
Commissioner did not object to the use of the Standard Contractual
Clauses, he did call for scrutiny of the Clauses, and the Data
Protection Commissioner of Ireland announced in May that it will
seek legal review of the Standard Contractual Clauses by the Irish
High Court and the CJEU.
Need for a Privacy Shield. These fines are likely to
increase pressure on US and EU agencies seeking an acceptable
replacement for Safe Harbor. In February, the US Department of
Commerce and the European Commission proposed the new EU-U.S.
Privacy Shield Framework to replace Safe Harbor. The Article 29
Data Protection Working Party, which includes the heads of EU data
protection authorities, has since expressed some concerns that the
Privacy Shield remains inadequate and the new framework is now
awaiting approval by EU member state representatives.
Know your data transfers. The fines against US
companies by the German Data Protection Commissioner demonstrates
how important it is for companies to review and understand the
legal basis for international transfers of their employees' or
customers' data. And this is not limited to EU-US transfers;
countries in Asia and Latin America, for example, have enacted
similar legislation that may limit cross-border data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).