Laws in this area can be tricky to interpret, so digest this caution, but I found this analysis from Bloomberg BusinessWeek of interest:
The Safe Harbor scheme (not recognized by the Germans, incidentally) allows U.S. tech firms such as Google to self-certify, to say that they conform to EU-style data protection standards even if their country’s laws do not. It’s not quite that simple—these companies really do need to jump through some hoops before they claim compliance; just ask Heroku—but it does largely come down to trust.
EU data protection regulators have already called for the system to be toughened up through the introduction of third-party audits, but frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft (MSFT), Facebook, and AOL (AOL), all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.
As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens—heck, even local governments aren’t supposed to be doing that—the Safe Harbor program now looks questionable to say the least. A lot of people have already pointed to the U.S. Patriot Act as a threat, and now the effects of that legislation are plain to see.
The update at the beginning of the article reads:
I’ll admit I am shocked to have received this response from the European Commission’s Home Affairs department to my request for comment, with particular regard to the impact on EU citizens’ privacy: “We do not have any comments. This is an internal U.S. matter.”
I don’t see kicking U.S. tech companies out of Europe as a promising way of starting U.S./EU free trade negotiations. One possible legal “out” is discussed here. If anyone is going to drive this issue forward, it is likely the European public, who of course still can insist on tougher standards. Here is one description of Safe Harbor policies. The tech companies themselves may fear a loss of international competitiveness, or that Safe Harbor standards will be toughened, you will find a discussion of commercial worries and their potential impact here.