A key German privacy official has criticized the U.S. Department of Commerce for continuing to administer the Safe Harbor program, despite Europe's highest court having struck down the scheme last year.
Johannes Caspar, the Hamburg data protection authority (DPA), last month levied fines on three U.S. multinationals – Adobe, Punica and Unilever – for continuing to use Safe Harbor as the basis for their transatlantic data transfers. Regulators from across the EU agreed back in February to start cracking down on companies that did not instead use alternative legal mechanisms.
Now, Caspar is investigating more multinationals, as are his counterparts in other German states. And, according to the Hamburg DPA, the U.S. is not helping its companies.
"By maintaining the Safe Harbor list and by continuing to administer the program, the U.S. Department of Commerce gives the impression on the official Safe Harbor website that the principles of the European Commission's decision are more or less still valid," Caspar told IAPP.
As the Hamburg DPA said, the Commerce Department does still maintain its old Safe Harbor page with an advisory at the top that states: "In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel."
However, whatever that advisory may say, Europe and its regulators no longer recognize Safe Harbor at all.
"Our investigations have shown that there still are a lot of companies which did not realize or at least refuse to accept that [Safe Harbor] gives them no legitimate ground for data transfers," Caspar said. "It therefore is necessary to discuss the issue of a coherent legal enforcement of data transfers to the U.S."
According to Caspar, that discussion will take in DPAs at several levels: at German state level, federal level, and also within the Article 29 Working Party, the forum through which privacy regulators from across the European Union coordinate their actions.
Crucially, he said, this issue is "independent of the further improvements on the Privacy Shield, which were recently negotiated between the EU and the U.S." This week, EU Member States approved the Privacy Shield.
The earlier draft of Privacy Shield met with resistance from the Article 29 Working Party and the European Data Protection Supervisor, who noted that it was not strong enough to withstand legal scrutiny of the kind that sunk Safe Harbor. (Major sticking points include limits on U.S. mass surveillance, and the role of the new ombudsperson that will adjudicate EU citizens' privacy complaints.)
None of the working parties or regulators can technically stop the Commission from issuing a new "adequacy decision" to set the Privacy Shield in stone, but their approval or otherwise is a handy indicator of Privacy Shield's chances for long-term viability.
The current confusion is, of course, why so many companies have not moved on from their previous arrangements – Privacy Shield is not yet in place, and there is still a chance that the tricky legal mechanisms that are in place, model clauses and binding corporate rules, could also be struck down at some point.
The Hamburg DPA is currently investigating another three companies for still using Safe Harbor. Caspar would not comment on the level of the potential fines – those levied on the first three companies were relatively small – but he said: "As a general rule, companies which have not taken notice of the Safe Harbor ruling from October 2015 till now must face tougher sanctions."
His counterpart in the state of Schleswig-Holstein, Marit Hansen, said she was also investigating companies over their continued use of the stricken scheme.
"In March 2016, my office started investigations of nine companies in Schleswig-Holstein concerning the use of Safe Harbor with focus on employee data processing. The majority of investigations showed that Safe Harbor was not used as legal basis for data transfer to the U.S. Two investigations are still ongoing," Hansen said.
Hansen added that a few companies have asked her office for advice on their planned data transfers to the U.S. and other countries outside the European Economic Area.
As for whether the fines levied by Hamburg so far (ranging from $9,000-$12,000) were effective, Caspar said he thought they were a sufficient warning to other companies. Asked whether the three recipients have now improved their processes to his satisfaction, he said: "At the moment, yes."