While there’s more work to be done on the EU-U.S. Privacy Shield, which is intended to replace the Safe Harbor agreement and provide protection of EU citizens’ data when in the United States, privacy regulators continue to be watchful for companies that are breaching privacy laws. This week, Johannes Caspar, the Hamburg Data Commissioner, announced that it had fined three companies, including Adobe Systems, a total of 28,000 euros ($32,000) for using the now-invalid Safe Harbor to transfer data from the EU to the United States.
A press release stated that the office had inspected 35 international companies based in Hamburg. While it found that a number of the investigated companies had changed data transfer to standard contractual clauses after Safe Harbor was declared invalid and within several months of the implementation period, there were a few that had not. This made data transfer between these companies and the United States “without any legal basis and unlawful.”
The other two companies fined in addition to Adobe Systems (8,000 euros) were a subsidiary of PepsiCo called Punica (9,000 euros) and Unilever (11,000 euros). The companies had eventually implemented alternative legal mechanisms for data transfer between the EU and the United States, which, according to Caspar, factored in favorably when fines were being calculated. But if there are future infringements, said Caspar, “stricter measures will be applied.”
While using standard contractual clauses is currently recommended, they, too, will be up for future scrutiny to determine if they offer sufficient data protection.
For more on navigating the still-unknown data privacy waters, including best practices for e-discovery, download LLM, Inc.’s “After Safe Harbor” white paper.