[flexie]

No, you are more or less right. The general rule is that personal data may only be transferred to organizations in third countries such as the US if they comply with the EU rules on data protection. See chapter IV of the data protection directive: http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:319...

In order to avoid that each EU member state would have to approve Google, Microsoft etc. one by one, the safe harbour framework was set up to let US companies self certify that they complied with the rules:

"In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive."

http://www.export.gov/safeharbor/eu/eg_main_018476.asp

That was obviously a broken system, partially because the certified companies didn't live up to the EU standards, partially because the US government violated the rules systematically through CIA, NSA etc.

The fault here is really European as much as American. By relying on the wolf to guard the sheep we very much had it coming.