After the European Court of Justice invalidated Safe Harbor on October 6, 2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures. DPAs in France, Germany, and Ireland have all addressed these issues, but in different ways.
The Head of the European Working Party, Isabelle Falque-Pierrotin, is also the head of the French DPA, CNIL. In 2015, CNIL investigated Facebook. On January 26, 2016, CNIL found that Facebook was not compliant with respect to cookies; CNIL also noted that Facebook transferred data to the US based on the invalid Safe Harbor. CNIL requested that Facebook stop transferring data to the US per the Safe Harbor within 3 months. Since Facebook is now relying on Standard EU Contractual Clauses and not the Safe Harbor, the CNIL appears to have not taken any further enforcement action.
In Germany, there is a federal DPA as well as DPAs for each state. Of these state DPAs, the Hamburg DPA is a leader in enforcing data subjects’ rights. On June 6, 2016, it issued a press release announcing fines for the unlawful transfer of employee and customer data to the US. The companies fined are not the usual large internet players, but Adobe Systems Inc., Punica a subsidiary of PepsiCo and Unilever. The fines were relatively modest for these companies, respectively 8,000, 9,000 and 11,000 euros. The Hamburg DPA explained that these three companies had adopted alternative transfer tools after the proceedings were initiated and that this was taken into account when calculating the relatively modest fines. The Hamburg DPA said that other inspections were underway.
The decision of the European Court of Justice has not put an end to the action initiated in Ireland by Schrems against Facebook. However, since Facebook has now switched to Standard Contractual Clauses, the remaining disputed issue is whether the Clauses provide an adequate level of privacy protection. Mr. Schrems claims that the same reasoning that led the European Court to invalidate Safe Harbor should lead to the invalidation of the other Commission decision about Standard Contractual Clauses. On May 25, 2016, the Irish Data Protection Commissioner stated that his DPA intended to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses.
This is probably good news for companies which rely on these Clauses. National DPAs are in charge of enforcing the rules on transfers, they can impose fines (the amounts vary substantially from one country to the other) and they can suspend transfers. In the Schrems decision, the European Court held that DPAs were not bound by the Commission Safe Harbor decision, but have the power to assess whether data is transferred with an “adequate level of protection”. In practice, however, DPAs will probably hesitate to make findings that could be contradicted in a few months by the European Court. Additionally, one would expect this important issue to be dealt with at the European level by the Article 29 Working Party rather than at national level. Recently, the Working Party has focused on the draft Privacy Shield and although it had announced it would conduct an analysis of Standard Contractual Clause in light of the Schrems decision, it has given no clue as to when this might take place. In theory, the Working Party could decide that neither the new Privacy Shield nor the Standard Contractual Clauses are satisfactory, but that would leave businesses without workable data transfer solutions, and there is reason to believe the Working Party would not want such an outcome.
* * *
In complex situations, it is often a good idea to go back to good old basic legal principles: as long as Standard Contractual Clauses have not been invalidated, they are valid and transfers taking place on that basis should not give rise to any fines.