U.S. Subsidiary in Germany Faces Data Transfer Fines

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

April 20 — At least one of six Hamburg-based subsidiaries of U.S. companies being investigated for data protection infringement is set to receive a fine for unauthorized data transfer to the U.S., the north German state's data protection authority (DPA) told Bloomberg BNA April 20.

The Hamburg DPA said it couldn't provide further information on the company or the fine as it was in the process of issuing a penalty notice to the company in question—such penalties can be as high as 300,000 euros ($338,895).

The European Court of Justice Oct. 6, 2015 invalidated the U.S.-European Union Safe Harbor program, which allowed U.S. companies to transfer EU citizens' data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive (14 PVLR 1825, 10/12/15).

Following the ECJ ruling, the DPA investigated how companies in Hamburg with U.S. parent companies are transferring data to the U.S.

In two of the other investigations, the Hamburg DPA took enforcement action because it received no information from the companies about the nature of their data transfers in spite of repeated queries. Simultaneously, the DPA initiated proceedings against the other companies suspected of transferring data to the U.S. using the defunct Safe Harbor mechanism or other non-permissible methods.

German DPAs have even questioned the legality of other modes of transfer still deemed legal such as binding corporate rules or standard contractual clauses (14 PVLR 1992, 11/2/15).

In the pending cases, the DPA said the companies have until April 25 to respond to its queries. Depending on the DPA's evaluation, those companies could face fines as well.

EU and U.S. negotiators Feb. 2 agreed on the EU-U.S. Privacy Shield agreement to replace the invalidated Safe Harbor program (15 PVLR 269, 2/8/16).

To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com