EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief [October 29, 2015] [open pdf - 692KB]
"On October 6, 2015, the Court of Justice of the European Union (CJEU) delivered a judgment that invalidates the Safe Harbor Agreement between the United States and the 28-member European Union (EU). Safe Harbor is a 15-year-old accord, under which personal data could legally be transferred between EU member countries and the United States. The negotiation of Safe Harbor was largely driven by the EU's 1995 Data Protection Directive (DPD) and European concerns that the U.S. approach to data privacy did not guarantee a sufficient level of protection for European citizens' personal data. The Safe Harbor Agreement applies to a wide range of businesses and organizations that collect and hold personal data. When the parties concluded the Safe Harbor Agreement in 2000, however, the Internet was still in its infancy, and the range of public and private actors engaged in the mass processing of personal data, including across borders, was much more limited than today. The CJEU case stems from a 2013 complaint brought by an Austrian citizen and Facebook user, Maximillian Schrems, who claimed that the United States, and ultimately the Safe Harbor Agreement, failed to meet EU data protection standards in light of the unauthorized disclosures of classified U.S. surveillance programs by former U.S. National Security Agency (NSA) contractor Edward Snowden. In its decision, the CJEU determined that U.S. data protection measures do not provide an 'adequate level of protection' for personal data as required by the EU DPD, and thus Safe Harbor, as currently agreed, is invalid."
CRS Report for Congress, R44257
Federation of American Scientists: http://www.fas.org/sgp/crs/index.html