Safe Harbor

Safe-Harbor was the first decision made by the EU Commission in 2000 that allowed EU companies to transfer personal data from a European Union country to the U.S. in compliance with EU data protection legislation: a transfer tool. Such a tool was deemed necessary as it is not permitted to transfer personal data to third countries whose data protection does not have a level of protection comparable to that in the EU. The US is such a country. At the same time, a complete standstill of data transfers between such interconnected economies was – and is – not desirable.

To this end, the EU permitted data transfers to US companies that agreed to comply with the Safe Harbor principles:

  • Notice – data subjects must be regarding the processing of their data.
  • Choice – data subjects must have the option to opt-out.
  • Onward Transfer – onward transfers of personal data are only permitted to recipients that follow adequate data protection principles.
  • Security – reasonable efforts must be made to prevent the loss of personal information.
  • Data Integrity – personal data must be relevant and reliable for the underlying purpose of processing.
  • Access – data subjects must be able to access and correct their personal data.
  • Enforcement – data subjects must be able must be given effective means of enforcing these rules.

Safe Harbor was declared invalid by the European Court of Justice (ECJ) in the Schrems I judgment.