Safe Harbor

TL;DR;

Safe Harbor refers to a decision of the European Commission in 2000, that was meant to provide a set of standards for the transfer of private data from the EU to the US. It is no longer valid since 2015, when it was established that the US can't provide an adequate level of privacy protection.

What is the Safe Harbor?

"Safe Harbor" refers to the 2000 decision of the European Commission, with regard to the transfer of private data from the EU to the US. This is in direct connection to the "Safe Harbor Privacy Principles" published by the US Department of Commerce on 21 July 2000 and the Directive on Data Protection from 1995 (implemented in 1998). The Directive was the first document to refer to the obligativity that the personal data of EU citizens be transferred to non-EU countries, only if those countries could provide an "adequate level of privacy protection".

The purpose of this bilateral agreement was to facilitate trade between the EU and the US, while at the same time, to make sure that the private data of citizens (customers) would be kept safe in the context of the international transfer. Basically, in order to still be able to efficiently transfer data from the EU to the US after the 1998 Directive, the 2 parties established this protocol that provided a framework for how US companies could provide the "adequate level of data protection". 

This was done with the prevention of accidental loss of personal data in mind, but it later had major implications in direct connection to the national security laws in the US. In 2015, the agreement was considered obsolete, after the Schrems I case, when an Austrian citizen argued that Facebook could not provide adequate protection of his personal data in the US. 

As a consequence, the US and the EU established another agreement, the EU-US Privacy Shield, which was also invalidated in 2020.

 

up-arrow.svg