The scheme was agreed by the European Commission and the US last year and introduced in November 2000. From 1 July 2001, its principles became legally enforceable. UK companies and other members of the EU are breaking the law if they share personal data with US companies which do not have an adequate written privacy agreement.
Sharing includes activities such as sending payroll data to a US parent company. Such transfers could lead to prosecution by the information commissioner.
To date, only 96 firms have signed up to Safe Harbour, including Microsoft, Hewlett Packard and technology giant TRW. The low take-up raises questions about how companies can benefit from Safe Harbour certification - what value does it have for US companies?
Since the original negotiations we have seen a change of government in the US and noises from the Bush camp indicate that some see Safe Harbour as an infringement of the trade rights of US firms.
There have also been rumours that should proceedings begin against a US firm for non-compliance, retaliation can be expected.
Safe Harbour was created to facilitate the transfer of data from the UK to the US in line with the Data Protection Act 1998. The need arose because the Act prohibits the transfer of personal data outside the European Economic Area unless the country receiving it has adequate data protection regulations in place. The US has a self-regulatory approach, making transferring data to the US particularly complex.
The scheme overcomes this issue through a system of certification which indicates that a US company meets the UK's privacy protection requirements.
When it was introduced, EC and US enthusiasm led to expectations of 1,000 or more businesses signing up to Safe Harbour in its first year. With trade between the US and Europe estimated to be worth upwards of £300bn, this is, in principle, a sound concept.
What does Safe Harbour mean for your company?
Safe Harbour is a way that a UK company can send data to a US company, which has been certified, without fear of prosecution as certification satisfies the Data Protection Act's adequacy requirements. This saves EU companies time and money.
There are alternatives. Companies can establish adequate data protection measures within a written contract. This approach is often used by a US company that has a small number of UK affiliates, where there may be no additional benefit in signing up to the Safe Harbour scheme.
Janet Chance is an IT lawyer at Eversheds