The Safe Harbour principles (which are largely similar to the Data Protection Act principles) were agreed between the European Commission and the US government in 2000. Personal data can be transferred to companies in the US which have signed up to the Safe Harbour scheme, whereas the transfer of data to US organisations which have not signed up to the Safe Harbour scheme must be analysed and treated in the same way as any other transfer outside the European Economic Area.
Failure to comply with the Safe Harbour rules can result in enforcement proceedings by the US Federal Trade Commission and direct action by affected individuals in the US courts.
As a result of Edward Snowden's revelations about mass surveillance of EU citizens' personal data held by US cloud computing providers (known as the PRISM case), the Safe Harbour agreement has been under close scrutiny by the European Commission, which published a communication in November 2013 making 13 recommendations to improve the functioning of the scheme.
The effect of the ruling of the European Court of Justice is that the transfer of personal data should now no longer be made to US entities solely on the basis that they are Safe Harbour-certified. It will be interesting to see the European Commission’s reaction to the ruling.
The European Court of Justice said that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US firms were taking adequate data protection measures. It added that the ruling meant Ireland's regulator now needed to decide whether Facebook's EU-to-US transfers should be suspended. The pact has existed for 15 years. Facebook has denied any wrongdoing. "This case is not about Facebook," said a spokeswoman. "What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.