The abolition of Safe Harbor and its consequences

  • Share
    Two clicks for more data privacy: click here to activate the button and send your recommendation. Data will be transfered as soon as the activation occurs.
  • Print
  • Read out

The Safe Harbor Decision by the EU Commission to determine an appropriate level of data privacy for the transfer of personal data in the United States has been consigned to history. Under case number C-362/14, the European Court of Justice (ECJ) in Luxembourg has issued a landmark judgment in the case Schrems vs Facebook that will have repercussions for the entire Internet economy.

Thomas Kremer, Board member for Data Privacy, Legal Affairs and Compliance.

Thomas Kremer, Board member for Data Privacy, Legal Affairs and Compliance.

It is clear from reactions in the media that the decision has come like a thunderbolt, the sheer clarity of which few had anticipated, especially so soon after Advocate General Yves Bot delivered his opinion. The ECJ has declared the EU Commission's "Safe Harbor" Decision from July 2000 to be void – and with immediate effect. It is clear, says the ECJ, that the level of protection for personal data in the United States is inadequate because the data of European customers is not sufficiently protected from access by U.S. security agencies.

In 2000, the EU Commission had declared the United States to be a "safe harbor" as defined in the Safe Harbor Agreement. Accordingly, U.S. companies were able to self-certify that they met European data privacy regulations. This required entering into a number of voluntary commitments to data privacy vis-à-vis the U.S. Federal Trade Commission (FTC).

More than 4,400 companies had declared their commitment to seven essential European data privacy principles ( to the FTC, pursuant to the Safe Harbor Decision. However, these principles were not implemented effectively in the companies and legal protection in the United States for the affected European citizens is limited and not particularly effective. In addition, the revelations by Edward Snowden have made it clear to a wider public that U.S. security agencies save all the personal data of all persons that is transmitted in the United States – without differentiation, restriction or exception.

This situation was unacceptable. Here in Europe, the privacy of personal data is one of the shared fundamental values that unites us all. And this must be effectively protected. For this reason, we, Deutsche Telekom, had called early on for the existing Safe Harbor regulation to be withdrawn and replaced by a new system with effective protection mechanisms for personal data. Following the ECJ judgment, the German government, the EU Commission and the United States are called upon, now more than ever before, to create an appropriate basis for data exchange between Europe and the United States. In our increasingly digital world, a secure transatlantic data exchange is imperative.

And, crucial to improving European data privacy, we need the European General Data Protection Regulation. This includes the "marketplace principle," under which European data privacy law applies to all those who wish to offer their products and services in Europe, regardless of where the provider is based, be it Europe, the United States or Asia. In the future, the EU-wide legislation will offer a wide range of protective mechanisms when data is to be saved outside of Europe. For example, companies can be certified to the standards of the General Data Protection Regulation. This will ensure that even companies from countries outside of Europe comply with European data protection standards when processing the data of EU citizens. In addition, international data transmission is also possible using effective instruments such as binding corporate rules, standard contractual clauses and the consent of data subjects. Again and again, we hear from Brussels that negotiations for the new European data privacy law are to be completed by the end of the year. Following the judgment of the ECJ, it is clear that this timetable must be adhered to. Further delays must not be allowed.

But at the same time, telecommunications companies can also do something to make data traffic more secure for their customers. If data being transmitted over the Internet is no longer directed through other jurisdictions, such as the United States, then data traffic becomes safer as a whole. That is why we were early in calling for an "Internet of short distances," which ensures a direct route from sender to recipient when transporting data. We have already implemented this in our networks. We want to make unauthorized external access to data transported in Europe much more difficult and are committed to ensuring that as many Internet providers as possible get on board with the idea of the Internet of short distances.

The issue of secure encryption of the contents of communications is also important for the protection of personal data. Effective end-to-end encryption that is also easy for consumers to use provides greater security, including against inappropriate access by security agencies.

For Deutsche Telekom, the ECJ's judgment means that we must take responsibility. In talks with our European corporate customers we are already finding that they are skeptical about data being stored outside of Europe and demand for cloud services "made in Europe" is on the rise. We are meeting the need for secure data transfer with our encryption technologies. Furthermore, Deutsche Telekom guarantees the same high security standards in all of its data centers, not just the German ones. This is verified every year.

When working with companies from non-EU countries, we demand that the solutions offered be saved and processed in our data centers. If that is not possible, we require compliance with the EU standard contractual clauses. If the partner does not accept the standard contractual clauses, we forgo the service or make this transparent for our customers so that they can decide for themselves.

Data protection and data security are among the top priorities at Deutsche Telekom. Our customers and employees must be able to have confidence that their data is protected. We want to make sure that digital business models are designed to be data protection-friendly. We we are well on the way to do doing this.