The Fall of Safe Harbour and the Unresolved Predicament it Leaves Behind
In the aftermath of the European Court of Justice's (ECJ) invalidation of the Safe Harbour agreement in October 2015, businesses have been navigating the complexities of cross-Atlantic data transfers. As of August 2025, there is no explicit update on the progress or conclusion of Safe Harbour 2.0 negotiations, the proposed successor framework to the original agreement.
The absence of a finalized Safe Harbour 2.0 framework has left businesses in a state of uncertainty, seeking alternative methods to comply with data protection rules. One such method is the use of EU Model Clauses, although their acceptance varies among EU Data Protection Authorities (DPAs). For instance, the Austrian DPA initially stated it would accept Model Clauses, but later clarified that specific transfers based on Model Clauses would still need approval. Some DPAs, like the one in Germany, have announced that data transfers based on EU Model Clauses are no longer permitted.
In the meantime, businesses are taking proactive steps to reduce exposure by anonymizing sensitive personal data before it leaves a country, using a cloud access security broker (CASB) to encrypt or tokenize sensitive data. This approach allows businesses to continue sharing data across regional boundaries while ensuring privacy compliance.
However, the acceptance of Model Clauses among EU DPAs is questionable, with some agreeing reluctantly and reserving the right to sue if they perceive a privacy breach. A new Safe Harbour agreement, if established, is unlikely to grant the same level of immunity as the previous one.
The UK Information Commissioner's Office (ICO) has advised businesses to review their data transfer methods to the US, acknowledging that it may take them time to do so. The ECJ's decision plunged thousands of companies into operational uncertainty, and businesses are still grappling with the implications.
User consent is a legal band-aid offered by the ECJ, but it is not universally accepted due to privacy laws in certain countries, such as Germany and Spain. Employees are not considered to have the right to give consent for data transfers.
Cloud vendors like Google, Salesforce, and Microsoft have offered amended contracts with Model Clauses, but their acceptance is questionable among many EU DPAs. DPAs in several European countries, including Ireland, France, Italy, Netherlands, Belgium, and Portugal, are studying the issue and aim for a unified position from European authorities.
As the negotiations for Safe Harbour 2.0 continue, businesses must remain vigilant and adaptable in their data transfer practices. Keeping abreast of updates from official EU Commission releases, the European Data Protection Board, or authoritative privacy law sources is essential for staying informed on this evolving issue.
[2] Notable examples of cross-border data protection cooperation can be found in the April 2025 Philippines-Bermuda Memorandum of Understanding for enforcement cooperation on cross-border data transfers, highlighting global efforts on such issues generally.
- As businesses seek alternative methods to comply with data protection rules in the absence of a finalized Safe Harbour 2.0 framework, they are increasingly turning to technology solutions like cloud access security brokers (CASB) to encrypt or tokenize sensitive data before transfer, allowing them to continue sharing data across regional boundaries while ensuring privacy compliance.
- The evolution of data protection laws and regulations, particularly in cross-Atlantic business transactions, is increasingly intertwined with technology, as demonstrated by the use of Model Clauses, cloud security solutions, and international cooperation agreements in countries like the Philippines and Bermuda.
