Safe-Harbor was the first decision made by the EU Commission in 2000 that allowed EU companies to transfer personal data from a European Union country to the U.S. in compliance with EU data protection legislation: a transfer tool. Such a tool was deemed necessary as it is not permitted to transfer personal data to third countries whose data protection does not have a level of protection comparable to that in the EU. The US is such a country. At the same time, a complete standstill of data transfers between such interconnected economies was – and is – not desirable.
To this end, the EU permitted data transfers to US companies that agreed to comply with the Safe Harbor principles:
- Notice – data subjects must be regarding the processing of their data.
- Choice – data subjects must have the option to opt-out.
- Onward Transfer – onward transfers of personal data are only permitted to recipients that follow adequate data protection principles.
- Security – reasonable efforts must be made to prevent the loss of personal information.
- Data Integrity – personal data must be relevant and reliable for the underlying purpose of processing.
- Access – data subjects must be able to access and correct their personal data.
- Enforcement – data subjects must be able must be given effective means of enforcing these rules.
Safe Harbor was declared invalid by the European Court of Justice (ECJ) in the Schrems I judgment.