Concrete ramifications of Safe Harbor strike down ruling by EU court?

Hi there,

The EU court just invalidated Safe Harbor, and I’m trying to figure out the ramifications & the required changes, as an EU-based B2B SaaS bootstrapper.

Many EU-based SaaS bootstrappers leverage all kind of US-based services (think: Mandrill, Mailchimp, Heroku, AWS, EngineYard, and many more), provided that they were Safe Harbor compliant, to make their current work possible.

Since the Snowden revelations occurred, it became clear to me that Safe Harbor wouldn’t hold too long in its current state, since otherwise it would have been a blatant joke. It “just” took one persistent activist (Maximillian Schrems) and we’re there today.

So now as bootstrappers, I’m left with questions such as (brainstorming):

  • Are we indeed required by law to stop using US-based services in their current form?
  • Is there a legal way (like asking customers consent explicitely) to still use these services?
  • If we start using local alternatives (sometimes less good, or even less secure in a way), won’t that cause issues later for US-customers (I’d expect US to backfire in a way, maybe in a couple of months / years)?

I hope to start a useful discussion (pragmatic takes, no trolling, no “this is all NSA’s fault” & other opinions - let’s keep this usable), a bit like what @rachelandrew did for EU VAT.

If you have interesting facts or understandings, please share :smile:

(As a sidenote, I can say I’m seriously considering targeting France only for my next SaaS (at least to get started), because finding Safe Harbor providers, then EU VAT complexities, then now this, is getting tiring).


I would hold fire and see how this plays out for now - much bigger concerns than ours are effected and this could be huge… or nothing… depending on how its interpreted, enforced and perhaps replaced.

1 Like

That’s also my current position - I don’t want to over-react, or react too soon, yet I’m willing to do initial research to get a better understanding, start a discussion, and ultimately do what needs to be done.

1 Like

At day job - legal is still digesting this and trying to figure it out. So holding fire seems to be what everyone is doing.

1 Like

To underline one point, since someone reminded me of that on twitter: I have the feeling that the consequences won’t be the same for B2B and B2C (even if you also happen to store “personal data” at times in B2B, like billing information etc), and that it will be easier to handle B2B.

Time will tell.

I’m also worried about this. This weekend I had planned to setup my new SaaS application server, a Linode VPS LAMP server hosted at London. But the problem is that currently I’m targeting Spanish users, so I don’t know if I can hire an american server which is located in the UE without breaking UE privacy laws. It’s so difficult… :confused:

I actually created a mini-website around the impact of Safe Harbour, the implications and a list of European SaaS companies you can switch to if you need an EU legislation-compliant place to put your data.

You’ll find it at

If you have a SaaS company that hosts its data solely in the EU, I’d be happy to add you to the site!