'Safe Harbor' is now defunct because the European Court of Justice found the following:

(a) There is no general privacy law or other measures enacted in the US that shows the US offers "an adequate level of protection" for personal data relating to European data subjects;

(b) Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the 'Safe Harbor' rules after disclosure;

(c) Some US law enforcement agencies can gain access to personal data in 'Safe Harbor' without having any law that legitimises their access; and

(d) The European Commission knew all the above and knew that personal data was possibly being used for incompatible and disproportionate purposes by law enforcement agencies.

If you read Article 8(2) of the Human Rights Convention, you will get the ECJ Judgment immediately.

It states:

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

As Snowden's leaks showed, there is no law legitimising the interference by the National Security Agencies, so one does not know whether any interference on their part is necessary.

'Safe Harbor' is unsafe because such agencies in the USA can access personal data without due process, and because the US has no law that limits the use of personal data by them.

Perhaps the time has come not for a revamped 'Safe Harbor', but for the US to adopt a Federal Data Protection Law.

References

Schrems v Facebook: Case C 362/14

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.