Certain European Union (EU) Member States’ data protection authorities (DPAs) have already started to announce investigations and or “prudential measures” for data transfers solely relying on the invalidated “U.S.-EU Safe Harbor Framework” (Safe Harbor).
In the aftermath of the announcement of the “EU-U.S. Privacy Shield” (Privacy Shield), the Article 29 Working Party (WP29), comprised of all EU Member State DPAs, announced an extension of the “grace period” for U.S. data transfers based on alternative transfer mechanisms (e.g., EU standard contractual clauses and Binding Corporate Rules) other than Safe Harbor, at least until the Privacy Shield has been reviewed by WP29 (likely by the end of March 2016).
The following reactions have already begun to take place in the EU Member States:
- Denmark has issued a statement on WP29, but not announced enforcement actions;
- France has issued a statement and stated that they will investigate complaints they receive;
- Finland has issued a statement on Privacy Shield, but not announced enforcement actions;
- Ireland only refers to WP29 Press release;
- Luxembourg has announced that they will investigate based on complaints they receive;
- Netherlands has issued a statement on Privacy Shield, but not announced enforcement actions;
- Poland only refers to WP29 Press release;
- Slovakia has issued a statement on WP29, but not announced enforcement actions;
- Slovenia has issued a statement on WP29, but not announced enforcement actions. However, they refer to a January 2016 guidance paper for data transfers; and
- Spain has issued a statement on Privacy Shield, but not announced enforcement actions.
In Germany, where the DPAs have often been outspoken about EU-U.S. data transfers:
- Bavaria has announced “sanctions” against companies that continue to base their transfers on Safe Harbor;
- Hamburg has announced that data transfers on the basis of the former Safe Harbor are expressly excluded from the grace period extension granted by WP29 and that such transfers are “clearly illegal.” Violations will be investigated by the DPA, with express reference to the three-step-enforcement plan issued in 2015, which foresees enforcement actions starting in February 2016 (in particular, suspension orders and fines);
- Hessen has equally announced “sanctions”;
- Lower Saxony had issued a statement in January 2016, before the announcement of the Privacy Shield, relating to intended Safe Harbor enforcement actions; however this statement had already taken into account such possible replacement and may therefore still be relevant;
- North Rhine Westphalia on February 3, 2016 updated a statement from 2015, in which they had announced “prudential measures” for Safe Harbor certified data transfers; although the update only refers to the press release of WP29, the original enforcement announcement may still remain relevant; and
- Thuringia so far has only criticized the new Privacy Shield regime, without announcing particular investigative measures. However, this position might indicate that the DPA considers all data transfers to the U.S. to be unlawful and thus might carry out enforcement activities.
A joint statement of the German DPAs, also released today, expressed the German DPAs’ support for the content of the Article 29 Working Party press release and noted that the DPAs will exercise their independence to investigate cases and complaints on a case-by-case basis.
Companies, in particular those who have establishments and/or affiliates in one or several of the German states mentioned, are therefore strongly advised to implement Standard Contractual Clauses or Binding Corporate Rules for intra-group transfers, if they have not done so already.
Many of the statements and announcements with hyperlinks above refer to local language news sources, which have been translated by Crowell & Moring attorneys in Europe. For more information, please contact the authors, or your regular Crowell & Moring contact.