What is Safe Harbor and what do companies have to consider

The background story

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The EU, however, relies on comprehensive legislation that requires, among other things, the creation of independent government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these differences, the Directive could have significantly hampered the ability of U.S. organizations to engage in a range of trans-Atlantic transactions.

In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a “safe harbor” framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides “adequate” privacy protection, as defined by the Directive.


The U.S.-EU Safe Harbor program provides a number of important benefits to U.S. and EU organizations.

Benefits for participating U.S. organizations include:

  • All 28 Member States of the European Union will be bound by the European Commission’s finding of “adequacy”;
  • Participating organizations will be deemed to provide “adequate” privacy protection;
  • Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted;
  • Claims brought by EU citizens against U.S. organizations will be heard, subject to limited exceptions, in the U.S.; and
  • Compliance requirements are streamlined and cost-effective, which should particularly benefit small and medium enterprises.


EU invalidated the agreement

The case of the Safe Harbor agreement for the transfer of data between the EU and the USA, found invalid by the European Court of Justice on 6 October 2015, means considerable legal uncertainty for many companies, especially those making use of Cloud services.

What now?

On 6 October, the European Court of Justice (CJEU) declared the Safe Harbor decision on the transfer of data between the USA and the EU to be invalid. The result of this is that any exchange of data on the basis of Safe Harbor is, with immediate effect, unlawful. European companies now need to examine whether and which of their data transfers – particularly those to Cloud service providers with IT resources in the USA – are affected by this.

The eco White Paper “Impacts on European Companies as CJEU declares Commission’s ‘Safe Harbor Decision’ invalid” explains how European companies should now proceed in order to assess their processes and ensure that their handling of data is legally compliant. The paper was written by Lawyer Dr. Thorsten Hennrich, specialist in IT and Cloud-related legal topics.

The eco White Paper on the CJEU Safe Harbor Decision can be downloaded here.



Five tips for companies for dealing with the Safe Harbor Agreement (Source: eco)

  1. Check whether you are affected!
  2. Check what legal foundation you are using for your data Transfers!
  3. Examine whether you can base your data transfers on other legal foundations!
  4. Inform you customers!
  5. Observe the further developments!




Click to access eco-guidelines-on-eu-data-protection-reform.pdf

© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: