German Data Protection Authority Fines Companies for Transferring Data to the United States
Following the CJEU 's judgment of October 2015 invalidating the European Commission 's Safe Harbor Decision, the Data Protection Authority Hamburg (DPA Hamburg) started investigations against 35 internationally operating companies in Hamburg. According to a press release of DPA Hamburg, these investigations revealed that the majority of the companies under investigation had used the six month grace period, as set by the Article 29 Working Party, to change their practices to be based on standard contractual clauses. However, according to DPA Hamburg, some companies under investigation have failed to implement alternative measures in order to legitimize data transfers to the United States. Consequently, DPA Hamburg determined that data transfers by those companies lack a sufficient legal basis and are, therefore, illegal. The investigations of DPA Hamburg demonstrate that German DPAs are keen to investigate and fine companies which have failed to take appropriate measures.