Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
June 6 — A German privacy regulator June 6 fined three international companies for allegedly unlawfully transferring data to the U.S. in a show of enforcement force after the invalidation of the U.S.-European Union Safe Harbor Program.
According to Bloomberg News, the data protection authority (DPA) of Hamburg fined consumer goods maker Unilever 11,000 euros ($12,505), software company Adobe Systems Inc. 8,000 euros ($9,094) and fruit juice maker Punica—which is owned by PepsiCo Inc.—9,000 euros ($10,220). The DPA alleged that the three international companies with German operations failed properly ensure the privacy for employee and customer data transferred to the U.S.
With the old approved data transfer pact gone and its the future of its planned replacement—the EU-U.S. Privacy Shield—in doubt, U.S. companies seeking to lawfully transfer personal data out of Germany without risk of a privacy enforcement action have few options.
“For all companies in Europe, particularly in Germany where the DPAs are very sophisticated, and have become more aggressive in enforcement, companies are really struggling,” Jörg Hladjk, a cybersecurity and data protection attorney at Jones Day in Brussels, told Bloomberg BNA June 6.
“We are reaching a critical turning point for globally operating companies in terms of international data transfers,” Hladjk said. “Safe Harbor is no longer available, Privacy Shield not yet adopted, EU model clauses under scrutiny by the DPAs, binding corporate rules mean a ton of work,” Hladjk said.
“So what's left for companies to use in the short term?”
The European Court of Justice October 2015 invalidated the U.S.-European Union Safe Harbor framework which was relied on by over 4,400 U.S. companies and thousands of EU companies to transfer data between the U.S. and the EU (14 PVLR 1825, 10/12/15).
Negotiators Feb. 2 agreed on the EU-U.S. Privacy Shield agreement to replace the invalidated Safe Harbor program (15 PVLR 269, 2/8/16). But the replacement framework has been criticized by various parties as inadequate to protect EU citizens' data from mass government surveillance by the U.S. government (15 PVLR 1161, 6/6/16).
Following the invalidation of the Safe Harbor, the DPA investigated the data transfer practices of companies based in the northern German state with U.S. parent companies (15 PVLR 871, 4/25/16). The DPA's investigations uncovered that the “overwhelming majority” of these companies altered their data transfer practices to base them on standard contractual clauses during the six month implementation period following the Safe Harbor invalidation.
Several companies, however, didn't amend their data transfer practices and as a result, continued to carry out data transfers into the U.S. without a legal basis, the DPA said.
Ulrich Wuermeling of Latham & Watkins's Frankfurt office, told Bloomberg BNA June 6 that “whether and when the European Commission will confirm the adequacy of the EU-U.S. Privacy Shield remains uncertain given the negative opinions of the data protection authorities concerned.”
“Further uncertainty will result from potential legal actions against the EU-US Privacy Shield. As a consequence, companies should continue to use model clauses for data transfers to the U.S. and keep monitoring the developments in case another solution emerges to be more reliable,” Wuermeling said.
“The actions of the Hamburg DPA confirm that model clauses remain to be the most suitable replacement for Safe Harbor,” he added. “Even if the Irish Data Protection Commissioner initiates a court proceeding in order to clarify the validity of such model clauses, it will take at least two years before such a proceeding could lead to the invalidation of such model clauses by the ECJ.”
Meanwhile, attorneys are skeptical of solutions in the short term.
“It's a political discussion you will never solve—you would have to change the legal system in the U.S. to do away with the concerns,” one attorney, who asked to remain unidentified due to involvement with the investigation, told Bloomberg BNA June 6. “That's never going to happen.”
Hamburg Data Protection Commissioner Johannes Caspar said that in calculating the fines, the DPA took into account whether the companies have changed their practices to be based on standard contractual clauses.
The companies that were fined have changed their practices to be based on standard contractual clauses, it said.
“Stricter standards will surely be in place for violations detected in the future,” Caspar said.
The DPA added that several of the proceedings are ongoing, and other investigations remain open.
To contact the reporter on this story: Jabeen Bhatti in Berlin at email@example.com
To contact the editor responsible for this story: Jimmy H. Koo at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)