Article by Sophie Ratzke, Christian Schröder and Sam Castic.

While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twiddling their thumbs.

Hamburg's data protection commissioner, the head of one of 16 Federal German data protection authorities ("DPA"), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.

While the "EU-U.S. Privacy Shield" has been proposed by the EU Commission as a replacement to the Safe Harbor Agreement it is still under discussion and has not been formally adopted. In the meantime, some U.S. companies may still be relying on the defunct Safe Harbor Agreement to transfer personal data across the Atlantic. After the Safe Harbor Agreement was declared invalid by the EU Court of Justice last October, the Hamburg DPA started investigating the legal bases for continued transfers of personal data to the U.S.

According to German online media portal Spiegel Online, the Hamburg data protection authority is preparing to fine at least three of the 35 U.S. companies based in Hamburg for continuing to rely on the invalid Safe Harbor agreement as the legal basis for their transatlantic data transfers of personal data, and it is investigating two more companies for the same reason. According to information from Bloomberg BNA, at least against one of the undisclosed U.S. companies will definitely have a fine imposed by the Hamburg DPA. A fine for unauthorized data transfers to the U.S. may amount to EUR 300,000 (around USD 340,000). It is possible that other German DPA's will follow Hamburg's example and open investigations against U.S. companies subject to their jurisdiction.

If your company is conducting transatlantic data transfers, in particular from subsidiaries in Germany, take note of these investigations and consider alternatives to reduce the risk that your company will be the next target. You can read about alternative solutions for transatlantic data transfers in our previous post on U.S.–EU Safe Harbor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.