The U.S. and EU are putting the finishing touches on “Privacy Shield,” the successor to their struck-down Safe Harbor data-transfer agreement, but it’s not quite there yet. And in the meantime, companies still sending people’s personal data from the EU to the U.S. under the Safe Harbor scheme are breaking the law.
So here comes the crackdown, starting in the German city-state of Hamburg. According to local media, the Hamburg data protection authority is preparing to fine three companies for relying on Safe Harbor as the legal basis for their transatlantic data transfers. Two other firms are also under investigation.
The names of the firms have not yet been released, but Hamburg data protection authority Johannes Caspar said they were “large international companies” whose legal teams should know better.
Get Data Sheet, Fortune’s technology newsletter.
Safe Harbor was a deal struck back in 2000 that let U.S. companies self-certify that they adhere to EU-grade privacy standards, even if the U.S. as a whole does not. Normally, the European Commission has to declare the full “adequacy” of a country’s data protection laws, if Europeans’ personal data is to be legally transferred there. The EU’s top court nullified the agreement last year, saying it did not comply with EU data protection law—particularly in the light of Edward Snowden’s PRISM revelations in 2013.
The bloc’s many data protection regulators (one for each of the 28 EU countries, plus one for each of Germany’s 16 states) agreed to temporarily delay their crackdown on companies still using the now-nonexistent deal as the basis for their data transfers. Their deadline was the start of this month and, while the upcoming Privacy Shield deal will supposedly provide a suitable replacement for Safe Harbor, there’s nothing to stop the regulators from launching that crackdown in the meantime.
It’s no surprise to see Hamburg take the lead. Caspar’s office has always been one of the most enthusiastic enforcers of European privacy law—he’s the one going after Facebook
over its “dangerous” real-names policy, for example, and he’s also been a thorn in Google’s side over its data privacy policies.
The French data protection authority, CNIL, recently accused Facebook of still transferring data to the U.S. under Safe Harbor, but Facebook has strenuously and repeatedly denied this. Whatever the case (and it does seem Facebook is using an alternative, still-legal mechanism called “model clauses”), CNIL is only at the scolding stage, rather than preparing actual fines.
For more on privacy, watch:
Many international tech firms have offices in Hamburg, although it’s quite possible that the companies in Caspar’s sights are some other kind of multinational that needs to transfer personal data. Around 4,500 firms were signed up to Safe Harbor, after all.
Caspar’s office told Fortune the companies in question were all subsidiaries of U.S.-based global corporates. However, it refused to say in which industrial sectors they operate, due to ongoing proceedings.
This article was updated to include the response from Caspar’s office.