The recent vote at the European Parliament-by an overwhelming majority of 544 to 78 members-calling for the immediate suspension of Safe Harbor has sent some powerful shockwaves across the business and legal communities in the EU and beyond. This should not have come as a surprise, but it is still a chilling reminder of the uncertainty surrounding the scheme-possibly the most widely relied upon mechanism to legitimise data flows between the EU and the U.S. The big question that remains is whether EU-based organisations that rely on Safe Harbor as the legal basis for transferring data to either their own corporate group entities or service providers operating in the U.S. are doing the right thing or should be looking for alternatives. One thing is clear: Safe Harbor is not a silver bullet for compliance. It should be regarded as a well-established set of principles that can act as the basis for a fully-fledged global privacy programme. What really matters is to be able to show, both internally within an organisation and externally to third parties, that beyond the words and the paperwork, there is real evidence of commitment to the protection of personal information.