Reports of enforcement actions against companies based upon continued reliance on Safe Harbor for data transfers to the US have been few and far between. One German regulator, however, broken the ice.
On June 6, the Hamburg data protection authority announced that it had fined three companies – Adobe, Pepsi subsidiary Punica and Unilever – for continuing to rely on Safe Harbor as their legal basis for transferring personal data to the US. While the fines could have been as large as €300,000, they were reduced to €11,000 or less because each of the companies switched to the use of alternative transfer mechanisms during the course of the authority's proceedings.
The fines were the outcome of an inspection of the data transfer procedures of 35 internationally active Hamburg-based companies. According to the authority, the vast majority of the companies switched to the use of standard contractual clauses within several months of the invalidation of Safe Harbor by the European Court of Justice in October 2015. Proceedings against a few companies continue, with Commissioner Johannes Caspar warning that stricter sanctions would be imposed if alternative transfer measures were not adopted. Caspar also indicated that his office would look into the admissibility of alternative transfer mechanisms, and standard contractual clauses in particular, should negotiations over the Privacy Shield not succeed.