Data protection authorities in ten different German Lander (states) are currently undertaking a coordinated investigation into 500 large companies to determine how they handle data transfers to countries outside the European Economic Area (EEA). Companies that have established transfer procedures that are compliant with data protection laws in another EEA state may find that they do not meet strict German compliance requirements. This is because there has to be a powerfully legitimate reason to transfer data, especially to another country – even if it is another EEA state. This contravenes EU internal data freedom laws, but as the restrictions would need to be challenged at the European Court of Justice, defending a free data movement position could involve significant legal costs.