With the EU - US Privacy Shield a work in progress, EU enforcement for noncompliance with EU data protection standards has begun.

As anyone who is responsible for AML and/or FCPA compliance due diligence knows, the 16 year “Safe Harbor” agreement between the US and EU became obsolete last October as a result of a determination by the EU’s Court of European of Justice. The decision threatened to cause significant damage not just to the operations of social media businesses and financial institutions concerned with AML/KYC compliance and international corporate FCPA third party due diligence efforts, but even to routine payment, HR and client servicing activities that customarily involve the sharing of personal data between EU and US companies.

Initially, the EU agreed to allow a 90-day grace period to develop a new agreement that complies with EU data privacy law. In February 2016, the EU – US Privacy Shield was announced. Problem solved? Not so fast!

On May 30, the EU Data Protection Supervisor issued an Opinion similar to the conclusions reached by two other EU bodies — the EU Parliament and the Article 29 Data Protection Working Party — concluding that more work needs to be done to bring the Privacy Shield into concordance with EU data privacy law.

While work will continue between the EU and the US Department of Commerce to this end, the grace period on enforcement actions ended months ago.  

The grace period on enforcement actions ended months ago.
— Kevin Ford

On 6 June 2016, the first such actions were announced by the Data Protection Commissioner of Hamburg against three firms, Adobe Systems, Punica and Unilever. That’s right, not one of the 28 EU member nation Data Protection Commissioners but that of the German State of Hamburg. (There is a Data Protection Authority for each of the 28 EU member states as well as one for each of Germany’s 16 States.)

The three firms were accused of failing to adopt adequate legal procedures for their data sharing to meet EU data protection standards. The fines were modest — a total of 28,000 euros ($32,000) — but came with a warning by the Hamburg Data Protection Commissioner that future enforcement actions may result in greater fines.

It is likely that the Hamburg Data Protection Authority will bring more enforcement actions — and, in fact, the Commissioner has said as much.