The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.
Safe Harbor Principles were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information.
[11] On 6 October 2015, the European Court of Justice invalidated the EC's Safe Harbor Decision, because "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life" [emphasis in original].
[14] After opting in, an organization must have appropriate employee training and an effective dispute mechanism in place, and self re-certify every twelve months in writing that it agrees to adhere to the EU–US Safe Harbor Framework's principles, including notice, choice, access, and enforcement.
[15] In a 2011 case, the Federal Trade Commission obtained a consent decree from a California-based online retailer that had sold exclusively to customers in the United Kingdom.
[18] The EU–US Safe Harbor Principles 'self certification scheme' has been criticised in regard to its compliance and enforcement in three external EU evaluations: In June 2011, Microsoft UK's managing director Gordon Frazer said that "cloud data, regardless of where it is in the world, is not protected against the Patriot Act.
[23] In October 2015, the ECJ responded to a referral from the High Court of Ireland in relation to a complaint from Austrian citizen Maximillian Schrems regarding Facebook's processing of his personal data from its Irish subsidiary to servers in the US.
The ECJ held the Safe Harbor Principles to be invalid, as they did not require all organizations entitled to work with EU privacy-related data to comply with it, thus providing insufficient guarantees.
The court held that companies opting in were "bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements".
[26] German MEP Jan Philipp Albrecht and campaigner Max Schrems have criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice is located).
[29] The Article 29 Working Party has taken up this demand, and stated it would hold back another month until March 2016 to decide on consequences of Commissioner Jourova's new proposal.
"[32] Privacy activist Joe McNamee summed up the situation by noting the commission has announced agreements prematurely, thus forfeiting its negotiating right.