The United States - Safe Harbor, Snowden and Schrems I

Safe Harbor (Commission decision 26 July 2000) was a self-certification framework treated as adequate for EU-US transfers. Criticised for weak self-certification and lax FTC enforcement, it was undermined further by the 2013 Snowden revelations about NSA surveillance. Maximillian Schrems' complaint led the CJEU to invalidate Safe Harbor on 6 October 2015 (Schrems I).

Given the huge EU-US data flows, the DOC and Commission built Safe Harbor as a self-regulatory framework. The Commission's decision of 26 July 2000 treated the Safe Harbor Privacy Principles as adequate. Weaknesses: members skipped required annual compliance checks, and the FTC under-enforced compared with domestic cases.

The June 2013 Snowden disclosures about NSA mass surveillance damaged EU trust. The Parliament sought suspension; the Commission instead renegotiated, issuing 13 recommendations on four priorities - transparency, redress, enforcement and access to data by US authorities. The DOC accepted 12 of 13; the sticking point was the national-security exception being used only when strictly necessary and proportionate.

Key terms - quick answers

What is “Safe Harbor”?

The original (2000) self-certification framework allowing EU-US transfers to US firms that signed up to its Privacy Principles; invalidated by the CJEU in 2015.

What is “FTC”?

U.S. Federal Trade Commission - the regulator responsible for enforcing Safe Harbor commitments against participating firms.

What is “Schrems I”?

CJEU judgment of 6 October 2015 (C-362/14) declaring the Safe Harbor adequacy decision invalid.

What is “CJEU”?

Court of Justice of the European Union - the highest authority on the interpretation of EU law.