As threatened earlier this year, the Hamburg Data Protection Commissioner Johannes Caspar has announced enforcement actions against a handful of multinational companies for non-compliance with German data protection law. After the Schrems decision in the European Court of Justice in October 2015 that invalidated US-EU Safe Harbor as a valid data transfer mechanism from the EU to the U.S., the Article 29 Working Party – a collective of the individual EU Member States’ Data Protection Authorities (DPAs) – announced an enforcement grace period to allow companies to get into compliance with other data transfer mechanisms, such as Model Contracts or Binding Corporate Rules. Caspar and his office have since audited 35 multinational companies operating in Hamburg. The enforcement actions, and the administrative fines levied therein, are related to the earlier audits, but may not be the end of the DPA’s investigations.
The Hamburg enforcement actions are the first enforcement actions made public against U.S. companies that did not update their data transfer compliance in a timely fashion, but they certainly will not be the last. Companies should anticipate enforcement actions for non-compliance from other DPAs.
For more information, please see our recent client alert.