May 27, 2022

Volume XII, Number 147

Advertisement
Advertisement

May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

No Safe Harbor Here: German Regulator Imposes Fines for Privacy Shortcomings for US Transfers

The Hamburg Data Protection Agency (DPA) recently fined three companies for not having appropriate replacements for the Safe Harbor in place after the expiration of the permitted grace period. While the amounts of these fines are not particularly concerning, the precedent and potential for future, more burdensome fines is significant.

As we discussed in a previously, in the landmark case Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) ruled that the Safe Harbor program (which had dictated the conditions of the transfer of personal data from the European Union to the United States since 2000) is invalid. The European DPAs granted companies a transitory period to migrate from the Safe Harbor to other legal tools for their international data transfers, in particular by implementing Binding Corporate Rules (BCRs) or the Model Contractual Clauses. This transitory period expired in February. Since that time, some proactive DPAs, including the Hamburg DPA in Germany, have launched their own inquiries to ensure that the companies under their jurisdiction are in compliance.

The Hamburg DPA’s investigation focused on 35 companies and found significant shortcomings in its subjects. The fines imposed by the DPA on the three companies totaled 28,000 euros (US $32,000). In addition, the Hamburg DPA announced that further investigations remain pending.

It’s worth noting that the DPA acknowledged that the fact that these companies had eventually implemented alternative, compliant means for data transfers into the United States played in the companies’ favor when considering the amount of each fine. That said, the DPA explained that more severe enforcement measures will be applied to future violations.

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 162
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

202-373-6145
Eric Pennesi, Morgan Lewis, Technology attorney
Associate

Eric J. Pennesi focuses his practice on technology, outsourcing, and commercial transactions. As part of his practice, Eric drafts and negotiates a broad range of agreements in matters including software licensing, e-commerce, data licensing and subscriptions, consulting and services, manufacturing and supply, and strategic alliances and joint ventures.

412.560.7414
Advertisement
Advertisement
Advertisement