After the ECJ decision, companies needed to implement certain rules (the only practical way, according to German authorities, being the EU model clauses) in order to sufficiently comply with data protection requirements.
Nevertheless, some companies failed to meet these demands even six months after this judgement. The Hamburg data protection authority’s probe into 35 companies showed that while the majority of the reviewed companies has made use of the EU model clauses, some companies failed to take sufficient measures.
Even if in the meantime, all of the investigated companies have made their data transfer procedures compliant with EU law, it must be assumed that now the authorities in other German states and elsewhere in the EU will also initiate or intensify similar reviews. Therefore, anyone sharing or transferring personally identifiable information from Europe to the USA would be well advised to legally examine their present data protection arrangements.
Although there are significant legal concerns against the usage of the EU model clauses, the authorities apparently consider them (at least for the time being) as a sufficient mechanism. The EU-U.S. Privacy Shield as the follow-up agreement to Safe Harbor, on the other hand, is still viewed with much criticism.