ARTICLE
15 June 2016

German Data Protection Commissioner Fines US Companies For Unlawful Data Transfers

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
On June 6, 2016, the Data Protection Commissioner for Hamburg, Germany, announced fines against three US companies for unlawful transfers of employee and customer data from the EU to the US.
Germany Privacy
Richard C. Hsu,Andreas Löhdefink,Jeewon Serrato
+4 Authors
 Your Author LinkedIn Connections

On June 6, 2016, the Data Protection Commissioner for Hamburg, Germany, announced fines against three US companies for unlawful transfers of employee and customer data from the EU to the US. This action by the Hamburg Commissioner is the most significant enforcement action to date for non-compliance with current law.

These fines occurred in the wake of the October 2015 decision by the Court of Justice of the European Union (CJEU), which invalidated the US-EU Safe Harbor Framework as a means for lawfully transferring personal data from the EU to the US. (Previously, certain US companies and other persons could lawfully transfer Europeans' personal data to the US by certifying their compliance with the Safe Harbor Framework.) The CJEU's decision created significant uncertainty for data transfers from the EU to the US, as many companies rushed to implement alternate means of lawfully transferring data. European data protection authorities provided a three months grace period following the decision, which expired at the end of January 2016.

Key Takeaways:

  • Possibility of future inspections and actions. These fines result from inspections of 35 international companies based in Hamburg, with some inspections ongoing. Additional inspections will presumably follow from the Hamburg Commissioner and/or other European data protection authorities. The Hamburg Commissioner suggested that "stricter measures" would be appropriate for future non-compliance.
  • Questioning the Standard Contractual Clauses. As noted by the Commissioner, many companies have implemented the Standard Contractual Clauses to ensure lawful transfers of personal data from the EU to the US. For the purpose of this round of inspections, the Standard Contractual Clauses were found to be an acceptable alternative to Safe Harbor. However, doubts have been raised about the Clauses' adequacy. Although the Hamburg Commissioner did not object to the use of the Standard Contractual Clauses, he did call for scrutiny of the Clauses, and the Data Protection Commissioner of Ireland announced in May that it will seek legal review of the Standard Contractual Clauses by the Irish High Court and the CJEU.
  • Need for a Privacy Shield. These fines are likely to increase pressure on US and EU agencies seeking an acceptable replacement for Safe Harbor. In February, the US Department of Commerce and the European Commission proposed the new EU-U.S. Privacy Shield Framework to replace Safe Harbor. The Article 29 Data Protection Working Party, which includes the heads of EU data protection authorities, has since expressed some concerns that the Privacy Shield remains inadequate and the new framework is now awaiting approval by EU member state representatives.
  • Know your data transfers. The fines against US companies by the German Data Protection Commissioner demonstrates how important it is for companies to review and understand the legal basis for international transfers of their employees' or customers' data. And this is not limited to EU-US transfers; countries in Asia and Latin America, for example, have enacted similar legislation that may limit cross-border data transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Richard C. Hsu
Richard C. Hsu
Photo of Andreas Löhdefink
Andreas Löhdefink
Photo of Thomas Donegan
Thomas Donegan
Photo of Jeewon Serrato
Jeewon Serrato
Photo of Mathias Stöcker
Mathias Stöcker
Person photo placeholder
Benjamin Petersen
Photo of Marc Elzweig
Marc Elzweig
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More