Data transfers in limbo – U.S. companies face fines by German data protection authorities

Dr. Christian Schröder
Orrick, Herrington & Sutcliffe LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Orrick, Herrington & Sutcliffe LLP

While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twirling their thumbs.

Hamburg’s data protection commissioner, the head of one of 16 Federal German data protection authorities (“DPA”), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.

While the “EU-U.S. Privacy Shield” has been proposed by the EU Commission as a replacement to the Safe Harbor Agreement it is still under discussion and has not been formally adopted. In the meantime, some U.S. companies may still be relying on the defunct Safe Harbor Agreement to transfer personal data across the Atlantic.  After the Safe Harbor Agreement was declared invalid by the EU Court of Justice last October, the Hamburg DPA started investigating the legal bases for continued transfers of personal data to the U.S.

According to German online media portal Spiegel Online, the Hamburg data protection authority is preparing to fine at least three of the 35 U.S. companies based in Hamburg for continuing to rely on the invalid Safe Harbor agreement as the legal basis for their transatlantic data transfers of personal data, and it is investigating two more companies for the same reason. According to information from Bloomberg BNA, at least against one of the undisclosed U.S. companies will definitely have a fine imposed by the Hamburg DPA. A fine for unauthorized data transfers to the U.S. may amount to EUR 300,000 (around USD 340,000).  It is possible that other German DPA’s will follow Hamburg’s example and open investigations against U.S. companies subject to their jurisdiction.

If your company is conducting transatlantic data transfers, in particular from subsidiaries in Germany, take note of these investigations and consider alternatives to reduce the risk that your company will be the next target.  You can read about alternative solutions for transatlantic data transfers in our previous post on U.S.–EU Safe Harbor.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP
Orrick, Herrington & Sutcliffe LLP
Contact
more
less

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide