Safe Harbor

Ignoring the Judges

Data SH Imago
What next for data transfer?
  • Why it matters

    Why it matters

    A recent ruling technically made all transfers of personal data from the E.U. to the U.S. illegal. But few think this will ever really be enforced.

  • Facts


    • “Safe Harbor” refers to a legal agreement that had allowed U.S. web businesses to operate without complications in Europe.
    • This month the European Court of Justice declared “Safe Harbor,” to be invalid, but the majority of businesses haven’t changed a thing.
    • German data protection authorities have announced a three-month grace period. After this, they have threatened firms with €300,000 fines.
  • Audio


  • Pdf

What’s the use of a court ruling if everyone ignores it?

This is the dilemma facing Germany’s regional data protection authorities following a ruling by the European Court of Justice (ECJ) overturning the Safe Harbor agreement with the U.S.

Earlier this month judges ruled that transferring personal data to the U.S. – previously allowed under Safe Harbor – is now illegal. That’s because once it lands in U.S. servers, data is not sufficiently protected against government snooping.

In fact, the ruling should have immediately stemmed the flow of data to the U.S.

Yet it’s being roundly ignored in Germany – for now.

According to the Chambers of Industry and Commerce in two German states, North Rhine-Westphalia and Baden-Württemberg, few if any companies have reacted by stopping data flows.

At a meeting of German data protection authorities on Wednesday, most states agreed to observe a transition period.

During this period, companies are to look for alternatives business practices which avoid transferring data to the U.S. Only after this grace period will enforcement measures kick in, including possible fines of up to €300,000.

The ruling is being roundly ignored in Germany, for now.

German authorities are taking their cue from their European Union counterparts.

The E.U.’s Article 29 privacy working group, made up of national data protection authorities, this week said it would grant a grace period of three months for the European Commission and the U.S. government to come up with a satisfactory solution for transferring data across the Atlantic.

Also, the working group has tasked data protection authorities in individual member states with looking for solutions to further regulations also voided by the ruling.

Some doubt, for instance, whether the E.U.’s standard contractual clauses and so-called binding corporate rules governing personal data transfer are still applicable.

E.U. member states are looking to present a coherent response to the altered legal landscape. But because data protection authorities act independently of each other, it could still be that the ruling could have differing consequences for companies depending on where they are based.

Yet even in Germany, Europe’s strictest privacy advocate, few companies will feel much pressure to change data practices. Even when the grace period expires, firms have little to fear in terms of enforcement.

“A complete overview of the extent of data processing, with possible flows of data to the United States, just doesn’t exist,” said Marit Hansen, data protection commissioner for the northern German state of Schleswig-Holstein.

Nor does any authority have the staff to pursue laborious enforcement proceedings, she added.


Anja Stehle is a reporter for Handelsblatt based in Berlin. To contact the author:


We hope you enjoyed this article

Make sure to sign up for our free newsletters too!