Data privacy No Sign of a Safe Harbor

Companies fear stiff fines as the trans-Atlantic deal for transferring and storing digital information on customers expires Monday. Can the E.U. decide on a new data quid pro quo by Tuesday?
A veritable data wall is going up between the U.S. and E.U.

Four months after “Safe Harbor” was declared illegal, the deadline for reaching a new data transfer deal between Europe and the United States will likely pass next week with no solution.

During the transition period, companies operating in Europe were still allowed to transfer personal information and save it in U.S. data centers. But as the January 31 deadline looms, many firms that cooperate with U.S. service providers could face hefty penalties, including some German companies.

Big questions must be answered before an agreement can be reached. Is the Internet a borderless place? Who decides the data quid pro quo between companies and their customers? Representatives from the E.U.'s 28 national agencies that deal with data protection must come to an agreement Tuesday, or risk sinking tens of thousands of companies into a legal quagmire.

Even ahead of the agreement's expiration, companies that invoke Safe Harbour are already coming under pressure. Sabre, a leading U.S.-based travel-booking network, is used by nearly a quarter of travel agents throughout Germany to book thousands of flights, cruises, hotel reservations and car rentals. The problem is, once a reservation is booked, the personal information of German customers can end up in a data center in Texas.

Companies here are left to fend for themselves and exchange information with their subsidiaries, branches or partners in a manner that adheres to data protection. Marco Lenck,, head of the German SAP users group

Beginning next month, companies that transfer data based on Safe Harbour — which the European Court of Justice annulled last October — could be fined up to €300,000, or about $330,000, according to Andreas Schulz, a data protection expert at Bitkom, Germany’s digital industry association.

That prompted Marija Linnhoff, head of the Association of Independent Travel Agencies, to urge German travel agents who used Sabre to change their “booking system provider.”

Writing in his blog this week, the head of Sabre in Germany, Rainer Schäfer, countered that his company was using the European Commission’s standard contractual clauses as a legal foundation, not the invalidated Safe Harbour agreement. The E.U. Commission has stressed that other legal mechanisms are still valid.

But in view of the vast powers of the U.S. National Security Agency (NSA), both German and European data protection authorities believe these clauses, corporate rules and other means of data transfer now hang in the balance.

In ruling against Safe Harbour, Europe’s top court cited revelations by NSA whistleblower Edward Snowden. The court said U.S. intelligence was basically allowed to access electronic communications, which violated the “basic right to respect for privacy.”

A Sabre spokesperson said the company was “keeping an eye on the legal situation.”

The issue is raising concern in numerous sectors. Bitkom, for instance, warns that other data transfer regulations don’t offer legal security after the switch from Safe Harbor.

The DSAG organization of German SAP users, whose members include many blue-chip DAX-listed companies, has also sounded the alarm.

“Companies here are left to fend for themselves and exchange information with their subsidiaries, branches or partners in a manner that adheres to data protection,” said Marco Lenck, head of the SAP users group. “A new agreement is absolutely necessary and must be drawn up in time.”

But just days before the deadline, a solution is nowhere in sight. Only a new agreement that takes into consideration the top court’s ruling can achieve this, said Germany’s justice minister Heiko Maas this week. So far, U.S. negotiators have refused changes that would appease their European counterparts.

Big U.S. IT providers have already taken precautions, and not only because of skepticism they faced after the NSA spying scandal.

Microsoft is saving the data of European customers in Ireland and plans to set up a trustee model in Germany, with Deutsche Telekom as the safeguard for data.

Other providers, such as Cisco, Salesforce and Huawei, set up shop in a huge IT factory near Magdeburg in 2014, while Amazon has a data center in Frankfurt.

As a new agreement seems far off, many companies like Sabre are feeling the heat. Its European rival, Amadeus, is probably delighted: The Bad Homburg-based company has a new data processor and business is picking up. Another provider of booking systems, Bewotec, is also hurrying into the foray, assuring that its data is kept solely in Düsseldorf.

Meantime, the German government’s policy is not helping companies. Talks were last held earlier this month at the economics ministry in Berlin. They were headed by the state secretary, Matthias Machnig of the center-left Social Democrats, with representatives of commerce and data protection authorities, but yielded no results.

A government statement merely said that it had told the E.U. Commission and United States to seek a “swift deal on a new Safe Harbour Agreement.”

That’s little solace for companies like Sabre, which already are caught in rough waters.


Christof Kerkmann writes about the technology sector for Handelsblatt. Christoph Schlautmann covers logistics. To contact the authors: [email protected] and [email protected].