German data protection authorities have already started issuing proceedings against companies that are still transferring personal data to the US (“Data Transfers”) under Safe Harbor, less than a month after the expiration of the deadline set by the Art. 29 Working Party and the announcement that agreement had been reached on the EU-US Privacy Shield. Companies relying solely on Safe Harbor that have been waiting for the new EU-US Privacy Shield to come into force before changing their approach to Data Transfers should take stock. Enforcement practice has varied significantly around Europe with the German regulators being some of the most active but it is fair to say that simply waiting for the EU-US Privacy Shield without taking any further steps is an increasingly risky approach.
Meanwhile, on 29 February the European Commission unveiled the various texts that will make up the Privacy Shield. Datonomy will be reporting on that development in more detail shortly.
What enforcement action have German authorities taken?
The Hamburg data protection authority (“Hamburg DPA”) recently announced that it has taken enforcement action against three companies that still base their data transfers on Safe Harbor. Following the ECJ’s decision in Schrems in October 2015, which invalidated Safe Harbor, the Hamburg DPA requested that Hamburg-based affiliates of US companies listed under the Safe Harbor scheme disclose the basis of their data transfers. After originally investigating 35 companies, many of these companies implemented other mechanisms such as model clauses to validate their data transfers. The three companies which are now the subject of these new enforcement actions did not. The Hamburg DPA has criticised these companies for continuing to rely on the now defunct Safe Harbor despite having enough time to implement other mechanisms.
The Hamburg DPA has said that the next step will be a hearing after which fines may be imposed. Furthermore, two other companies are subject to ongoing investigations by the Hamburg DPA whilst another 16 companies are being investigated by the Rhineland Palatine data protection authority.
What do you need to do?
As enforcement action has now begun, waiting for the EU-US Privacy Shield to come into force and relying solely on Safe Harbor in the meantime is an increasingly risky option. There are of course many variables which will affect your particular organisation’s risk profile including the nature and volume of the data transferred and which jurisdictions the data is exported from (and to) given there is a spectrum of views and enforcement activity among Europe’s various data protection authorities. Germany has some of the strictest authorities. That said, simply doing nothing is not a sensible approach. The regulators are investigating and it is important to have a good narrative to tell to your regulators if they come knocking on your door. With relatively quick and easy alternative solutions available (such as model clauses) it is time to work out the best option for your organisation if you haven’t already done so.