Safe Harbor Woes

Data Protection Authority in Germany has fined three internationally operating companies for continuing to rely on Safe Harbour in relation to data transfers with the United States of America.

The Hamburg Commissioner for Data Protection has fined three companies between €8,000 and €11,000 for continuing to rely on Safe Harbor following its invalidation by the Court of Justice of the European Union (CJEU) in the Schrems case. This was the case even though the companies in question in the interim had altered their practices.

In the Schrems case, the CJEU had ruled that the Safe Harbor programme used as the legal basis for transfer for personal data to the USA was in valid as it did not sufficiently protect privacy rights of individuals as required by the European Data Protection legislation. For further information on this please see our blog.

As a result of this decision, companies and organisations irrespective of their size were required to alter their practices to ensure that any personal data that was transferred to the USA was no longer done on the basis of Safe Harbor. Companies were required to either use Model Clauses approved by the European Commission in their contracts or use Binding Corporate Rules. The Information Commissioner’s Office produced guidance on this matter requiring companies in the UK who transfer data to the USA to take stock following the Schrems decision and assess the adequacy of protection offered if they were continuing with transfer of personal data.

The European Commission  and the respective authorities in the USA since Schrems conducted talks and agreed a new framework for transatlantic data flows – the EU-US Privacy Shield but this is still being considered and is not yet in force.

It is reported that the Hamburg Commissioner for Data Protection assessed the practices of 35 internationally operating companies with office locations within its jurisdictions. It found that within 6 months after the Schrems decision most companies had made changes to their practices so that they were not relying on Safe Harbor. However, for those that did not do so in time, it decided to take action.

To date it is not known whether the ICO has conducted a similar assessment and its guidance does not seem to suggest this. However, as the Data Protection Act is based on a European Directive and with the General Data Protection Regulation having been approved, the ICO tends to align its practices with those of other European Data Protection Authorities. As such if companies in the UK have continued to rely on Safe Harbor post Schrems whether this was provided for in old contracts or new, it would be prudent for companies to review their practices and take necessary action.

Forbes Solicitors regularly advise a range of clients on data protection law and practice. This includes advice on policies, procedures, training, model clauses, subject access rights and enforcement action for businesses, housing associations, charities and public authorities. To assist your organisation with compliance of the Data Protection Act and prepare for the GDPR our team is able to offer a Data Protection Audit on a fixed fee basis. If you would like more information please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Dispute Resolution, Employment Law, GDPR, Housing Litigation and tagged , , , , , , , , , .