* Top EU court struck down U.S.-EU data transfer pact last
year
* Companies have had to set up alternative legal systems
* German regulator fines three companies for failing to do
so
By Julia Fioretti
BRUSSELS, June 6 A German regulator has fined
three companies for still relying on a Safe Harbour agreement to
electronically transfer personal data to the United States,
despite the deal being declared invalid by the EU's highest
court last year on concerns about U.S. mass surveillance
activities.
The Hamburg Data Commissioner said on Monday it had fined
Adobe Systems, fruit juice maker Punica, a subsidiary
of PepsiCo, and Anglo-Dutch consumer goods group
Unilever a total of 28,000 euros ($32,000) for failing
to set up alternative legal channels for cross-border data
transfers quickly enough.
Companies that need to transfer personal data to the United
States - be it for completing credit card transactions, hotel
bookings or moving employee data - have been operating in a
legal limbo since the Court of Justice of the European Union
(ECJ) struck down the Safe Harbour pact last October, depriving
them of the easiest means available under the EU's strict data
protection laws for authorising data transfers.
For 15 years the Safe Harbour agreement had allowed
companies to store data about European Union citizens on U.S.
servers by stating that they complied with EU data protection
standards.
Adobe was fined 8,000 euros, Punica 9,000 euros and Unilever
11,000 euros.
The regulator said they had put in place alternative legal
mechanisms for transferring data to the United States following
the fine.
"The fact that the companies have eventually implemented a
legal basis for the transfer had to be taken into account in a
favourable way for the calculation of the fines," said Johannes
Caspar, the Hamburg Commissioner for Data Protection.
"For future infringements, stricter measures have to be
applied."
The EU's 28 data protection authorities gave companies a
three-month grace period to bring their U.S. data transfers in
line with EU law after the ruling.
Hamburg's action is the most high-profile example of a
regulator cracking down on companies for not changing the way
they move data to the United States.
The Hamburg regulator said it had conducted inspections on
35 "internationally active Hamburg-based companies" and most of
them had set up alternative legal arrangements to shift data to
the United States, such as "standard contractual clauses".
But some companies had failed to set up such contracts -
standard templates drawn up by the EU executive to allow
cross-border data transfers to be made under EU privacy laws -
even six months after the ECJ ruling.
"The data transfer of these companies to the USA was thus
without any legal basis and unlawful," the regulator said in a
statement.
However, Caspar said standard contractual clauses would also
have to be scrutinised to decide if they give sufficient
protection to Europeans' data, leaving open the possibility that
regulators will restrict their use too.
($1 = 0.8797 euros)
