Blog post

Loss of Safe Harbor creates regulatory fragmentation but EU-US data transfers continue

By Earl Perkins | October 06, 2015 | 5 Comments

SecurityRegulationPrivacyIT GovernanceData securityCybersecurityTechnology and Emerging Trends

I would like to introduce you to my colleague and friend Carsten Casper, who has been following today’s announcement from the European Union Commission regarding Safe Harbor. He believed this was an important event for our clients and wanted to provide some immediate comments and analysis on the topic. This coincides with another colleague of mine, Jay Heiser, who is also providing insight via his blog. Please take the time to read below– it is enlightening. Thank you!


Written by: Carsten Casper, Managing Vice President, Digital Workplace Security

The European Court of Justice (ECJ) ruled on October 6, 2015 that the EU Commission decision known as Safe Harbor is invalid. In practical terms, this means that 28 different EU data protection agencies can now decide whether or not a particular company’s data transfer arrangement between the EU and the US is legal. The full text of the ECJ ruling is available at .

This is only the latest in a series of developments about privacy differences between the EU and the US, which also includes the umbrella data protection agreement (see for law enforcement collaboration, the US attempt to access a Microsoft email account in Ireland (see and the upcoming EU General Data Protection Regulation (see with its potential extraterritorial scope.

The immediate result is uncertainty in the market.

The course of action for companies depends on various factors, especially the type of personal data being processed, whether it’s employee or customer data, and the countries in which a company operates. Since there are various legal options and implications and Gartner does not give legal advice, companies should seek information from qualified legal counsel, such as Hogan Lovells, DLA Piper, Hunton & Williams, Latham & Watkins, White & Case. A good overview of possible actions is provided at .

• Companies need to obtain legal advice, but should also consider that this is a new situation for the legal profession, including the various EU data protection authorities (DPAs).

• Replace Safe Harbor with EU Standard Model Contracts (mid-term), Binding Corporate Rules (long-term) or consider free explicit individual consent for data transfers (not scalable) or other derogations (narrow scope). As of Oct 6th, 2015 a total of 4465 companies have current Safe Harbor certifications (not expired, see ), 76 companies use Binding Corporate Rules (list at ) and tens of thousands of companies use standard model contracts (no registry available).

• Don’t think you’re off the hook if you don’t use Safe Harbor for international transfers of personal data. DPAs will feel encouraged to also evaluate model contracts and transfers to countries with recognized adequate protection – which are also based on EU Commission decisions.

• Strengthen your collaboration with data protection authorities in some countries, especially Germany, France, Spain, Italy, Poland as they will now (want to) have a greater say on international transfers.

• The ECJ ruling will have a financial impact in various ways. IT providers will feel (even more) inclined to host processing of personal data in Europe, requiring additional data center capacity. EU companies will favor data storage in Europe, potentially (having to) paying a higher price. Both parties will pay additional legal fees for new contracts, agreements and advice. EU data protection authorities need additional staff to review complaints of EU citizens.

Key Findings

• It has been clear for years that Safe Harbor is a weak mechanism. Those relying on it knew they took a risk.
• The political implications (long negotiations) are incompatible with the need for IT and business decision makers to take action (short term).
• Businesses are more concerned about fragmented compliance in Europe, less about having to stop transfers to the US.

• Start or continue using standard contractual clauses, although even these might come under scrutiny.
• Differentiate by use case. Large volumes of consumer records need to be addressed first.
• Move personal data processing to the EU only if there is a clear business case, including actual (not just potential) fines or lost revenue due to lost customers.
• Focus compliance on big EU countries like Germany, France while waiting for new EU-wide agreements for transfers to the US, law enforcement collaboration or general data protection.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Are there any impacts on the power and utilities or medical industry software in the EU and the USA?

    Michael Adeeko
    DL2C(ColorCodeIT)-Cool Vendor May 2012

  • Anon says:

    The links are missing in the blog. Could you please provide these (search for “here” and you find where the links are missing).

  • John Bartho says:

    Thoughts on Loss of Safe Harbor — the links noted within are missing and request these be added/updated.

  • Earl Perkins says:

    Re: Michael’s question: Yes, if they used Safe Harbor to transfer personal data from the EU to the US, then they will need to change that– the methods used to do that change will vary.

  • Earl Perkins says:

    For John and ‘Anon’, I have recopied Carsten’s blog and keeping the references– accept my apology for missing that. Thank you for pointing it out.