U.S.-EU Safe Harbor Framework

The European Union (EU) adopted a policy in 1995 referred to as the "European data directive" that requires member countries to pass laws prohibiting the transfer of personal data to countries that are not members of the EU ("third countries") unless the third countries ensure an "adequate level of protection" for personal data. The directive went into force on October 25, 1998.

Since the United States does not have such laws, the U.S. Department of Commerce (DOC) negotiated with the EU to accept "safe harbor" certifications developed by DOC and U.S. industry whereby U.S. companies can satisfy the intent of the EU data directive through adhering to certain self-regulatory principles. After two years of negotiations, the Safe Harbor Agreement was approved by the European Commission (EC) (the "executive arm" of the EU) in May 2000.

The European Parliament, consisting of elected representatives of the EU countries, subsequently disapproved the Agreement, however, asking for further negotiations with the United States. The European Parliament's decision was not binding on the EC, though, and the EC decided to proceed with implementing the agreement after conveying to the United States the concerns expressed by the European Parliament.

The Agreement became effective November 12, 2000.