At present, the transfer of data outside the UK or other EU countries is limited by data protection legislation to prevent transfers to countries without adequate data protection laws. The US has no equivalent legislation, instead relying on a self-regulatory system.
Under the safe harbour, US companies can voluntarily adhere to a set of data protection principles recognised by the Commission as providing adequate protection and thus meet the requirements of the Directive as regards transfers of data out of the EU.
Although participation in the safe harbour is optional, its rules are binding for those US companies that decide to join, and compliance with the rules is regulated by the Federal Trade Commission and (for airlines) of the US Department of Transportation.
Data transfers to US organisations that choose to remain outside the safe harbour will normally still be possible, but will either need to benefit from one of the allowed exceptions (for example where the individuals concerned have given their agreement), or will require alternative safeguards, such as a contract.
EU data exporters wishing to check whether their intended US recipient enjoys safe harbour status will be able to refer to a publicly-available list maintained by the Department of Commerce (or somebody it designates for the purpose). US organisations that self-certify their adherence to the Safe Harbor Privacy Principles and publicly declare this will appear on the list, provided that they are subject to the jurisdiction of either the FTC or the Department of Transportation. They may lose their safe harbor benefits, and this will be made clear in the list, if they persistently fail to comply with the Principles.
It has been suggested that US companies have too little incentive to sign up and will be put off by the cost of changing their practices in data collection and use. They may also be afraid of coming under pressure to extend the protections of the safe harbour scheme to their US customers if they do sign up. According to a report on news web site zdnet.co.uk, major US companies with European presence, including IBM, Amazon.com and AT&T are still debating whether to sign up.