European officials have long harbored doubts about the Safe Harbor agreement, and recent revelations of NSA surveillance have led to even tighter scrutiny of the agreement.

— European officials’ long-standing doubts about the Safe Harbor agreement, together with the furore over recent revelations of NSA surveillance, finally led to the Schrems decision on Oct. 6, which invalidated the 15-year-old agreement. Safe Harbor had originally allowed US companies to store EU citizens’ personal data without permission or formal steps to ensure its security. Now, the new and more complicated regulatory requirements, still the subject of urgent negotiations between the EU and the US, are making life more difficult for businesses previously accustomed to transfers of personal data between the two regions.

Currently, the EU Data Protection Directive controls any transfer of personal data from the EU to the US, including cloud storage on US servers, which is widely used. Companies can no longer rely on Safe Harbor, but must now independently verify that those transfers are secure. Any security holes must be closed using solutions such as contract clauses, data encryption or relocation of data centers to the EU. The situation is urgent: companies have to take immediate action to prepare for greater numbers of investigations, at the same time that they face the challenges of satisfying both the US Foreign Corrupt Practices Act (FCPA) and the new EU rules.

The Safe Harbor agreement, confirmed by the European Commission in July of 2000, concerned all 4,500 US companies providing services that required securely storing EU citizens’ personal data for transactions arising in, for example, technical support calls or insurance claims. Especially affected were applications that asked users to enter their information for storage on servers in the US, such as CRM and ERP systems, as well as internet-based email platforms. Safe Harbor was intended to keep that personal data safe and private.

Public shock at the ongoing, covert NSA surveillance, however, weakened the agreement past the breaking point. Paul Scala, CEO of FreshMail, a leading provider of email marketing in Europe, said, “Leaks about the quasi-legal use of data by the NSA had a massive impact on the trust in the safety that was guaranteed to EU citizens by Safe Harbor.” On October 6 of this year, that lack of trust led to the Schrems decision, which scrapped the old agreement and created instant uncertainty for the many affected businesses.

The primary legal problem was the lack of protection afforded by US courts against government, notably NSA, surveillance. The European court essentially ruled that the Safe Harbor guarantee was meaningless because US law offers no way to curtail that surveillance.

Freshmail‘s Paul Scala comments on how the new development is already affecting the European market for internet-based services. “The suspension of Safe Harbor has a huge impact on both American service providers and their European customers,” says Mr. Scala. “Since the agreement is no longer in force, new legal provisions are necessary to fill the void so that the relevant authorities are able to guarantee the security of stored personal data. The dynamics of the business environment, where time is money, will not influence the pace of the formulation of a new agreement.”


For more information, please contact:
Maria Wahal, Media Relations

88 Wood Street, London
EC2V 7RS, United Kingdom

Phone: +44 203 598 5098

For more information about us, please visit