In its ruling of 6 October 2015 (Case C-362/14, Schrems), the Court of Justice of the European Union (“CJEU”) invalidated the Commission Decision 520/2000/EC on the adequacy of Safe Harbor. As a result, companies were given three-month grace (ending late January 2016) to consider their business processes and to adopt alternative cross-border data transfer mechanisms. In this context, a German regulator has early June fined three international companies, Adobe Systems, Punica, and Unilever for relying on a Safe Harbor agreement and unlawfully transferring personal data to the United States.

1. June 2016
INFO-FLASH
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA
TRANSFERS
In its ruling of 6 October 2015 (Case C-362/14, Schrems), the Court of Justice of the European Union
(“CJEU”) invalidated the Commission Decision 520/2000/EC on the adequacy of Safe Harbor. As a
result, companies were given three-month grace (ending late January 2016) to consider their
business processes and to adopt alternative cross-border data transfer mechanisms.
In this context, a German regulator has early June fined three international companies, Adobe
Systems, Punica, and Unilever for relying on a Safe Harbor agreement and unlawfully transferring
personal data to the United States according to the Press Release (in German only).
More precisely, the Hamburg Data Protection Authority (“DPA”) found that these three companies
had not quickly enough switched to a valid legal alternative after the three-month grace period set
by the Court of Justice of the European Union in the legal battle between Max Schrems and Facebook
on the legitimacy of their transatlantic personal data export practices.
Each company faced a potential fine of up to 300,000 euros but ended up paying much less. Adobe
Systems was fined 8,000 EUR, Punica 9,000 EUR, and Unilever 11,000 EUR given "the fact that the
companies have eventually implemented a legal basis for the transfer had to be taken into account in
a favourable way for the calculation of the fines" said Johannes Caspar, the Hamburg Commissioner
for Data Protection.
The Schrems judgment’s implications are straightforward: the transfer of personal data from the EEA
to companies based in the U.S. may no longer be legitimized on the Safe Harbor. Indeed, if the
recipient third country is found to fail ensuring an adequate level of protection, such as the U.S., the
transfer will be forbidden. However, it may still be possible to transfer data under certain safeguards
resulting from appropriate EU standard contractual clauses, or by obtaining "consent" from all EU
data subjects to transfer to their data to the U.S. (if feasible) or, in the case of multinationals, by the
adoption of binding corporate rules.
In the meantime, the European Commission is currently in negotiation with the U.S. for a new EU-
U.S. data transfer deal, called EU-US Privacy Shield, to replace U.S.-EU Safe Harbor framework. So far
Europe’s Article 29 Working Party, the body made up of the heads of EU Member State DPAs, has
signaled it is not satisfied with the EU-US Privacy Shield in its current form.
Recently, the Max Schrems-led group stated that the Irish DPA may be referring EU standard
contractual clauses to the Irish High Court for referral on to the CJEU according to a Press Release
from Europe-v-Facebook.org. If these EU standard contractual clauses are also found to be invalid,
the fate of the EU-US Privacy Shield could also be jeopardized.

2. June 2016
These reduced fines should be a wake-up call to all companies who have yet to establish alternative
cross-border data transfer mechanisms to replace the Safe Harbor agreement. European companies
should also bear in mind that there are now less than two years until the General Data Protection
Regulation (GDPR) comes into force fundamentally changing the way that companies manage their
personal data. European companies should also organize themselves to comply with the GDPR.
For further information or if you have any questions, please do not hesitate to contact any of the
KOAN LORENZ professionals listed below:
Agnès MAQUA
Partner - Brussels
am@koanlorenz.com
Jan DECORTE
Partner - Brussels
JDC@koanlorenz.com
Thomas DUBUISSON
Associate - Brussels
tdu@koanlorenz.com
Nicolas HAMBLENNE
Associate – Brussels
nha@koanlorenz.com