Companies fined for data transfer to the US

6 Juni 2016

At the end of 2015, the European Court of Justice had invalidated the Commission's US Safe Harbour Decision (background information here). "Safe Harbour" had been the legal basis for the transmission of personal data to the US.

Following the invalidation of Safe Harbour, the data protection authorities had granted a few months transition period, which was intended for the conclusion of a new data transfer agreement ("Privacy Shield", more information here) and for companies to adapt their data privacy declaration and data transfer policy to the new legal situation.

Many companies did nothing.

The data protection authorities in the German State of Hamburg now acted against some companies that did not change their practice and had ignored that the transfer of personal data to the US no longer had a legal basis (details here [in German language]) The fines were far below the maximum amount of 300,000 EUR, but the authorities announced that from now on fines would increase as companies had had sufficient time to adapt and with the present decision were sufficiently warned that the law would be enforced.