A German regulator has fined three companies for still relying on a Safe Harbor agreement to electronically transfer personal data to the United States, despite the deal being declared invalid by the EU’s highest court last year on concerns about U.S. mass surveillance activities.
The Hamburg Data Commissioner said on Monday it had fined Adobe Systems (ADBE), fruit juice maker Punica, a subsidiary of PepsiCo (PEP), and Anglo-Dutch consumer goods group Unilever (UL) a total of 28,000 euros ($32,000) for failing to set up alternative legal channels for cross-border data transfers quickly enough.
Companies that need to transfer personal data to the United States—be it for completing credit card transactions, hotel bookings, or moving employee data—have been operating in a legal limbo since the Court of Justice of the European Union (ECJ) struck down the Safe Harbour pact last October, depriving them of the easiest means available under the EU’s strict data protection laws for authorizing data transfers.
Get Data Sheet, Fortune’s technology newsletter.
For 15 years, the Safe Harbor agreement had allowed companies to store data about European Union citizens on U.S. servers by stating that they complied with EU data protection standards.
Adobe was fined 8,000 euros, Punica 9,000 euros and Unilever 11,000 euros.
The regulator said they had put in place alternative legal mechanisms for transferring data to the United States following the fine.
“The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favorable way for the calculation of the fines,” said Johannes Caspar, the Hamburg Commissioner for Data Protection. “For future infringements, stricter measures have to be applied.”
The EU’s 28 data protection authorities gave companies a three-month grace period to bring their U.S. data transfers in line with EU law after the ruling.
Hamburg’s action is the most high-profile example of a regulator cracking down on companies for not changing the way they move data to the United States.
The Hamburg regulator said it had conducted inspections on 35 “internationally active Hamburg-based companies” and most of them had set up alternative legal arrangements to shift data to the United States, such as “standard contractual clauses.”
But some companies had failed to set up such contracts—standard templates drawn up by the EU executive to allow cross-border data transfers to be made under EU privacy laws—even six months after the ECJ ruling.
“The data transfer of these companies to the USA was thus without any legal basis and unlawful,” the regulator said in a statement.
However, Caspar said standard contractual clauses would also have to be scrutinized to decide if they give sufficient protection to Europeans’ data, leaving open the possibility that regulators will restrict their use too.