No Safe Harbor In Germany—First Fines Imposed For Relying On Safe Harbor For Data Transfers
By Behnam Dayanim and Edward George*
*Summer Associate; Georgetown University Law Center (J.D. expected 2017)
The Safe Harbor provision has finally set sail. On Monday, the Hamburg Data Protection Authority (“Hamburg DPA”)
Prior to the decision, the Safe Harbor regulated the transatlantic exchanges of personal data for commercial purposes. Businesses like Google, Facebook, and Apple were legally permitted to transmit their European subscribers’ personal data to the United States as long as they self-certified under the agreement.
But because the CJEU found the Safe Harbor failed to provide an adequate level of protection for EU citizens’ personal data, businesses have had to consider a number of
In response to the CJEU’s decision, the European Commission and the Obama Administration feverishly worked to craft a new data-protection framework—the
However, since the release of the Privacy Shield proposal, the
Since the CJEU decision, many companies have been clinging to their Safe Harbor certifications in the hope that an enforcement “détente” of sorts might hold off any European enforcement action until a replacement (such as Privacy Shield) can be enacted. Some European DPAs have indicated as much, but others have warned that they would continue to enforce their national laws.
The Hamburg DPA’s recent actions signal that there were teeth to that warning and that companies continue to adhere to Safe Harbor at their peril.
Of some solace, perhaps, is the comment of Hamburg Data Commissioner Johannes Caspar that the Hamburg DPA took into consideration the companies’ efforts to change their policies in mitigating the amount of the fines imposed.
Continued Regulatory Uncertainty
As the regulatory landscape remains uncertain, businesses transferring data from the European Union to the United States have options to
Ultimately, it seems as though the future of transatlantic data transfer, at least in the near term, remains unclear – the worst possible outcome for multinational businesses.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.