What did the Safe Harbor agreement actually do?

In EU law (from which the UK Data Protection Act is drawn), a Data Controller who needs to transfer data outside of the European Economic Area must do due diligence on where they intend to send the data.

They need to satisfy themselves that the data protection will be the same or better than provided within the EU. 

It’s quite an undertaking, because if anything goes wrong it’s down to the Data Controller to prove they took all reasonable steps to ensure the data’s safety. If they can’t do that, they could well have broken the law.

It also counts if the personal data belongs to EU Citizens and is being gathered by a non EU organisation, like Facebook for instance.

Enter Safe Harbor, an agreement between the EU and the US that allowed any organisation agreeing to its principles to be deemed adequate in relation to data protection.  

The principles of this agreement were developed between 1998 and 2000, with the European Commission rubber stamping the agreement in July 2000.

This allowed EEA businesses to export data to the US with a clean conscience. It also allows US companies to process data they have gathered on EU citizens.

So what does a US data processor need to do to belong to this exclusive crowd of data protection stalwarts?

It might go something like this:

US data processor:          

Hey Buddy, I want to join the ‘Safe Harbor’ crowd.


Ok, you’ve got to do something first.

US data processor:          

Right. so what might that be then?


See these data protection principles? Just say you agree to them.

US data processor:          

Is that it?



US data processor:          

Ok… in that case, yes I agree, count me in!

No promises, no guarantees…

Lack of protection

To add to the lack of substance in the ‘Safe Harbor’ the Court of European Justice has ruled that the agreement is invalid due to other more fundamental reasons.

This is because, to paraphrase the court’s ruling, the US authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.  

That suggests, that not only is EU citizens’ data unsafe in the US, but US citizens are no better protected either.

The UK Information Commissioner’s Office (ICO) has already issued a statement saying that negotiations on an updated Safe Harbor are already in an advanced stage.

However, seeing that the Court of European Justice ruling cites a disagreement with what is a key US security policy, this process is likely to go on for some time. For now, Safe Harbor is finished.

What actions to take now!

Does this mean the end of data transfers and processing across the pond? What happens now?

Well, apparently you don’t need to panic, because there are a number of options available for organisations that rely on transferring data to the US. Actions you could take now:

  • Identify all of your personal data that goes to the US. This could be something like CRM systems or US-based service providers.
  • Review the terms of the suppliers to see who relies on the Safe Harbor.
  • See if you can make alternative arrangements, such as using the model contract clauses (available from the ICO website) or binding corporate rules if you are a global business.

There are likely to be many more options and advice in the coming weeks, from organisations such as the Information Commissioner’s Office.

Some service providers in the US have already issued new contracts including model contract clauses, which binds data protection on a contractual level.

What happens next?

At first glance, the demise of Safe Harbor will be little more than an inconvenience for many EU-based organisations.

But, if you are a US service provider who relied on Safe Harbor to rubber stamp the gathering of EU citizens’ data (such as social media platforms), things might not look so rosy.

The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject.

But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection. 

And if they were informed, would they consent? 

And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.

Nothing short of a complete revision of the US security regime regarding the surveillance of foreign citizens will satisfy the EU regulations.

The EU regulations are formed on fundamental human rights, one of which is the right to a private life. That is not going to change, but it remains to be seen how far the US is prepared to compromise. 

The only certainty, is that the next few months will be very interesting.