The Data Protection Authority of Hamburg, Germany has made good
promise to audit cross-Atlantic data transfers in the wake of
the October 2015
Safe Harbor decision. On June 6, the Hamburg DPA announced that it had fined three companies
for unlawful transfers of personal data from the EU to the United
States. According to the press release, over the past few months the
Hamburg DPA has reviewed the data transfers of 35 multinational
organizations to verify compliance with European data protection
laws. The Court of Justice of the European Union's decision
invalidating the Safe Harbor framework expressly empowered European
DPAs to undertake such reviews, but did not invalidate alternative
data transfer methods such as
standard contractual clauses (SCCs) and binding corporate rules
The Hamburg DPA's investigation revealed that, although the
majority of companies had timely implemented SCCs to cover their
data transfers to the U.S., some were transferring customer and
employee personal data in violation of EU law. The three companies
that have been fined (€8,000, €9,000 and €11,000,
respectively) were found to have unlawfully transferred data from
Germany to the U.S., but because they moved to SCCs during the
course of their respective proceedings, the fines were reduced
significantly from the potential maximum of €300,000. The
Hamburg DPA has indicated that additional proceedings involving
other organizations are ongoing. In an interview published in Spiegel Online, Hamburg
Data Protection Commissioner Dr. Johannes Caspar noted that
unlawful data transfers may be penalized more harshly in the
future. He has also echoed the Irish Data Protection
intention to begin examining the legality of the use of SCCs
for transfers of EU personal data.
The Hamburg DPA's announcement is unsurprising to those who
have been following the Safe Harbor saga – it reflects a
general Teutonic wariness of cross-Atlantic data transfers that has
only increased since the Safe Harbor decision. In October 2015,
another German DPA published a position paper warning of fines of up to
€300,000 for unlawful personal data transfers. Also in
October, a group of German DPAs issued a
14-point position paper questioning the validity of BCRs and
SCCs, halting the issuance of any new BCR authorizations, and
announcing their intent to exercise auditing power over SCCs.
With the future of the proposed Privacy Shield
uncertain, the continued validity of alternative data transfer
mechanisms is of great concern to companies seeking lawful
solutions. We will continue to monitor and report on developments
in this space.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).