1) CLIENT ALERT
German Data Protection Authority Fines Three Companies for U.S. Data Transfers
Jun.08.2016
In a press release of June 6, 2016, the Data Protection Authority (DPA) of Hamburg announced that three fining decisions it has
issued against companies unlawfully relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor) have become
final. The Hamburg DPA concluded that after the invalidation of the former “U.S.-EU Safe Harbor Framework” by the European
Court of Justice in October 2015, the companies had failed to otherwise adequately ensure the protection of employee and
customer data transferred from Europe to the U.S.
At least two of the companies fined are not typical “data-related” businesses: addressees of the fining decisions are consumer
goods manufacturer Unilever (€ 11,000), software company Adobe Systems Inc. (€ 8,000), and fruit juice maker Punica, a
subsidiary of PepsiCo Inc. (€ 9,000).
The fines issued are relatively low. However, Mr. Johannes Caspar, director of the Hamburg DPA, underlined that the fact that
the companies had implemented standard contractual clauses (SCCs) after the start of the investigations, had been taken into
account in favor of the companies when determining the amount of the fines. This confirms the need for companies who relied
on Safe Harbor in the past, to make sure that they install other safeguards, in particular Standard Contractual Clauses.
However, the overall situation regarding the transfer of personal data from the EU to the U.S. remains uncertain. The draft “EUU.S. Privacy Shield,” a recently drafted framework designed to replace the invalidated “Safe Harbor,” still needs to be approved
by the Article 31 Committee in a binding opinion before it can be confirmed by the European Commission in an adequacy
decision. In addition, the Standard Contractual Clauses are possibly also soon to be challenged before the ECJ based on an
initiative of the Irish DPA, a process that may however take several years to play out.
At bottom, the underlying political issue of a clash between European fundamental rights and U.S. government mass
surveillance activities remains. And according to many, only a change in the U.S. legal system with regard to surveillance
practices could solve the issue, which is highly unlikely to occur.
In light of the above, for now, Standard Contractual Clauses are the best solution for personal data transfers from the EU to the
US. In addition, companies should keep monitoring further developments. Crowell & Moring’s Privacy & Cybersecurity team will
continue to closely monitor and provide updates on future developments.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.
Jeffrey L. Poston
Partner – Washington, D.C.
Phone: 202.624.2775
Email: jposton@crowell.com
1
2) Emmanuel Plasschaert
Partner – Brussels
Phone: +32.2.282.4084
Email: eplasschaert@crowell.com
Jeane A. Thomas
Partner – Washington, D.C.
Phone: 202.624.2877
Email: jthomas@crowell.com
Evan D. Wolff
Partner – Washington, D.C.
Phone: 202.624.2615
Email: ewolff@crowell.com
Robin B. Campbell
Senior Counsel – Washington, D.C.
Phone: 202.654.6732
Email: rcampbell@crowell.com
Frederik Van Remoortel
Senior Counsel – Brussels
Phone: +32.2.282.1844
Email: fvanremoortel@crowell.com
Christopher Hoff
Associate – Washington, D.C.
Phone: +1 202.624.2779
Email: choff@crowell.com
Lisa Weinert
Associate – Brussels
Phone: +32.2.214.2846
Email: lweinert@crowell.com
2