Personal data can be transferred to a third (i.e. non-EU) country, when this third country ensures an adequate level of protection for such data, according to the EU directive on the protection of individuals with regard to the processing of personal data. The European Court of Justice (ECJ) has now ruled that the ‘Safe Harbor system’, which allows data transfer from the EU to a ‘safe harbor US company’, does not offer sufficient privacy safeguards. The ECJ primarily based its decision on two grounds: (1) the US authorities can access and process the transferred data in a way which could exceed the limits imposed by the directive and (2) there is no administrative or judicial appeal possible for the concerned individuals (e.g. with respect to the access of data or the right to ask for a correction or removal of data).