Post-Safe Harbor: Adobe fined for shipping personal info to the US 'without any legal basis'

A German regulator has fined three companies for failing to change the way they share people's personal information following the invalidation of the Safe Harbor agreement last year.

The Hamburg Data Commissioner fined Adobe €8,000 ($9,084), Pepsi subsidiary Punica €9,000 ($10,220) and Unilever €11,000 ($12,491) because they had not "established allowed alternative methods" six months after the transatlantic pact was struck down by the European Court of Justice.

The Safe Harbor agreement allowed companies in the US and Europe to swap people's private records, but was shut down after it was feared all that information was flowing straight into the NSA's servers.

The fines are peanuts to the companies, but they serve to highlight the enormous problems that companies face without a catch-all agreement covering data flows.

The commissioner's office said it had conducted inspections on 35 "internationally active Hamburg-based companies" and found that while the majority had changed their data transfer policies "within several months" of the agreement being struck down by introducing new contract clauses, several had not.

As such, "the data transfer of these companies to the USA was thus without any legal basis and unlawful," the commissioner wrote, although his office noted that the fine could have been higher except for the fact that the companies in question changed their approach almost immediately after being informed they were in breach.

The fines are merely a warning shot, and the commissioner's office said that "stricter measures" will be applied in future.

Give me my shield

The official release [PDF] also referenced the ongoing issues with the proposed replacement to Safe Harbor – the so-called Privacy Shield.

Despite having been subject to intense negotiations between EC and US officials, the Privacy Shield is facing a significant challenge in being formally approved. Just a week ago, the European Data Protection Supervisor said it was "not robust enough to withstand future legal scrutiny" and refused to endorse it. And in April, Europe's data protection authorities said the new agreement was "not acceptable."

The biggest areas of concern are the continued exemption of the rules for the US security services – meaning that mass surveillance may be able to continue unhindered – and the lack of teeth and independence on the part of the ombudsman that would hear any complaints about data misuse.

As for the Hamburg data commissioner, Johannes Caspar, he said: "It remains to be seen whether the succession plan for Safe Harbor, the Privacy Shield, that the EU Commission presented end of February, establishes an adequate level of data protection," and he references the other concerns already expressed.

He adds: "Against this background, it is necessary to decide on the admissibility of those alternative transmission tools, especially on the so-called standard contractual clauses, that are currently not objected."

In other words, these fines were just a first pass. If the Privacy Shield doesn't get formally approved, Hamburg – and many, many other European cities – will be delving into the data practices of companies operating under their jurisdiction. ®