Germans Fine Unilever, Adobe for U.S. Data Transfers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

June 6 — A German privacy regulator June 6 fined three international companies for allegedly unlawfully transferring data to the U.S. in a show of enforcement force after the invalidation of the U.S.-European Union Safe Harbor Program.

According to Bloomberg News, the data protection authority (DPA) of Hamburg fined consumer goods maker Unilever 11,000 euros ($12,505), software company Adobe Systems Inc. 8,000 euros ($9,094) and fruit juice maker Punica—which is owned by PepsiCo Inc.—9,000 euros ($10,220). The DPA alleged that the three international companies with German operations failed properly ensure the privacy for employee and customer data transferred to the U.S.

With the old approved data transfer pact gone and its the future of its planned replacement—the EU-U.S. Privacy Shield—in doubt, U.S. companies seeking to lawfully transfer personal data out of Germany without risk of a privacy enforcement action have few options.

“For all companies in Europe, particularly in Germany where the DPAs are very sophisticated, and have become more aggressive in enforcement, companies are really struggling,” Jörg Hladjk, a cybersecurity and data protection attorney at Jones Day in Brussels, told Bloomberg BNA June 6.

“We are reaching a critical turning point for globally operating companies in terms of international data transfers,” Hladjk said. “Safe Harbor is no longer available, Privacy Shield not yet adopted, EU model clauses under scrutiny by the DPAs, binding corporate rules mean a ton of work,” Hladjk said.

“So what's left for companies to use in the short term?”

No Safe Harbor

The European Court of Justice October 2015 invalidated the U.S.-European Union Safe Harbor framework which was relied on by over 4,400 U.S. companies and thousands of EU companies to transfer data between the U.S. and the EU (14 PVLR 1825, 10/12/15).

Negotiators Feb. 2 agreed on the EU-U.S. Privacy Shield agreement to replace the invalidated Safe Harbor program (15 PVLR 269, 2/8/16). But the replacement framework has been criticized by various parties as inadequate to protect EU citizens' data from mass government surveillance by the U.S. government (15 PVLR 1161, 6/6/16).

Following the invalidation of the Safe Harbor, the DPA investigated the data transfer practices of companies based in the northern German state with U.S. parent companies (15 PVLR 871, 4/25/16). The DPA's investigations uncovered that the “overwhelming majority” of these companies altered their data transfer practices to base them on standard contractual clauses during the six month implementation period following the Safe Harbor invalidation.

Several companies, however, didn't amend their data transfer practices and as a result, continued to carry out data transfers into the U.S. without a legal basis, the DPA said.

Further Uncertainty

Ulrich Wuermeling of Latham & Watkins's Frankfurt office, told Bloomberg BNA June 6 that “whether and when the European Commission will confirm the adequacy of the EU-U.S. Privacy Shield remains uncertain given the negative opinions of the data protection authorities concerned.”

“Further uncertainty will result from potential legal actions against the EU-US Privacy Shield. As a consequence, companies should continue to use model clauses for data transfers to the U.S. and keep monitoring the developments in case another solution emerges to be more reliable,” Wuermeling said.

“The actions of the Hamburg DPA confirm that model clauses remain to be the most suitable replacement for Safe Harbor,” he added. “Even if the Irish Data Protection Commissioner initiates a court proceeding in order to clarify the validity of such model clauses, it will take at least two years before such a proceeding could lead to the invalidation of such model clauses by the ECJ.”

Meanwhile, attorneys are skeptical of solutions in the short term.

“It's a political discussion you will never solve—you would have to change the legal system in the U.S. to do away with the concerns,” one attorney, who asked to remain unidentified due to involvement with the investigation, told Bloomberg BNA June 6. “That's never going to happen.”

Hamburg Data Protection Commissioner Johannes Caspar said that in calculating the fines, the DPA took into account whether the companies have changed their practices to be based on standard contractual clauses.

The companies that were fined have changed their practices to be based on standard contractual clauses, it said.

“Stricter standards will surely be in place for violations detected in the future,” Caspar said.

The DPA added that several of the proceedings are ongoing, and other investigations remain open.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Jimmy H. Koo at

Request Bloomberg Law Privacy and Data Security