The Altman Network

Investigation Events

Persons of Interest and Profiles

Sam Altman Self-Dealing & Conflict Architecture

EU-US Safe Harbor and Transatlantic Data Transfer Frameworks

What this page covers: The legal mechanisms that allow American companies to receive and process personal data from European citizens — how they work, why they keep getting struck down, which companies in this investigation use them, and the structural question of whether self-certification frameworks create the conditions for the data breaches and data monetization patterns documented throughout this investigation.

What Is Safe Harbor?

The EU-US Safe Harbor Framework was the original legal mechanism for transferring personal data from the European Union to the United States. Established in 2000 by the U.S. Department of Commerce and the European Commission, it addressed a fundamental problem: EU law (Directive 95/46/EC) required that personal data could only be transferred to countries with “adequate” data protection. The United States, with its sector-specific approach to privacy rather than comprehensive legislation, did not meet that standard. [1] [2]

Safe Harbor allowed U.S. companies to voluntarily self-certify that they adhered to seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Companies self-certified through the Department of Commerce, which maintained a public website listing certified companies and whether their certification was “current.” Recertification was required annually. [1] [2] [3]

The critical word is self-certify. Companies declared their own compliance. No independent auditor verified the declaration before certification was granted. Enforcement was retroactive — after a breach or complaint, not before. A company could self-certify, receive European personal data, and fail to meet every principle it claimed compliance with — and nothing would happen until someone noticed and filed a complaint. [2] [3]

The Seven Principles

Every company that self-certified — under Safe Harbor, Privacy Shield, or the current DPF — attested to compliance with these seven principles: [24]

PrincipleWhat It Requires23andMe’s Breach Performance
NoticeInform individuals about what data is collected, why, and who receives it23andMe’s consent forms described research sharing. However, customers were not informed their data was vulnerable to a months-long credential stuffing attack the company was aware of and dismissed as a hoax.
ChoiceAllow individuals to opt out of data collection or secondary uses84% opted into research. Opting out after the breach doesn’t un-steal your genetic data.
Onward TransferEnsure third parties receiving data provide adequate protectionGSK received $350M access to the database. TrialSpark partnered on clinical trial recruitment from the same population. The stolen data was transferred onward — to the dark web, organized by ethnicity.
SecurityTake “reasonable precautions” to protect data from loss, misuse, unauthorized access8-character passwords. No MFA for raw DNA access. No compromised-credential checks. Detection systems that failed for five months. IT ticket opened on early warning, then closed — “believed to be a hoax.”
Data IntegrityEnsure data is accurate, complete, and current for its intended useNot a primary violation in this breach, though the ethnic targeting of stolen data raises questions about how ancestry categorizations were stored and whether they facilitated targeted extraction.
AccessAllow individuals to access their data and correct inaccuraciesThe breach gave unauthorized access to 6.9 million profiles. The individuals whose data was stolen had no notification for months.
EnforcementProvide effective mechanisms for ensuring compliance, including recourse for affected individualsThe FTC did not bring a DPF enforcement action. The UK ICO fined 23andMe 2.31M pounds. The Canadian privacy commissioner investigated. Enforcement came from foreign regulators, not from the framework’s designated U.S. enforcer.

23andMe held current DPF certification — self-attesting compliance with all seven principles — while actively failing at least four of them (Security, Onward Transfer, Access, Enforcement) during the breach period.

The Three Frameworks (and Two Invalidations)

The EU-US data transfer landscape has been through three frameworks, two court invalidations, and one Austrian privacy activist named Max Schrems.

Safe Harbor (2000-2015)

Established under EU Directive 95/46/EC. Self-certification through the Department of Commerce. Used by thousands of U.S. companies for 15 years. [1]

Invalidated October 6, 2015 by the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (Schrems I). The case was triggered by the Snowden revelations: in May 2013, former NSA contractor Edward Snowden disclosed that U.S. intelligence agencies had obtained unrestricted access to mass data stored on servers controlled by Google, Facebook, Yahoo, and other Internet companies through a program called PRISM. According to reporting, Facebook was forwarding European user data en masse to the NSA under PRISM. The company could nonetheless rely on Safe Harbor because the framework’s language permitted “national security matters” to override privacy protections. [2] [4] [5] [25]

Austrian privacy advocate Max Schrems filed complaints against Facebook Ireland, arguing that PRISM and related surveillance meant personal data transferred to U.S. servers lacked “adequate protection” under EU law. The Irish Data Protection Commissioner initially rejected his complaint as “frivolous and vexatious.” Schrems took it to the Irish courts, then to the CJEU. The court agreed on two grounds: (1) U.S. intelligence surveillance exceeded what EU privacy law permits, and (2) EU citizens had no administrative or judicial recourse against U.S. surveillance. The court noted that the European Commission had approved Safe Harbor without evidence on record about U.S. surveillance or its impact on privacy — it had “signed off on a framework it didn’t fully understand.” [5] [25] [26]

The Snowden revelations also disclosed surveillance of 35 world leaders’ telephone conversations, including German Chancellor Angela Merkel. The political fallout reinforced the CJEU’s conclusion that U.S. data protection was structurally inadequate. [25]

Privacy Shield (2016-2020)

Negotiated as Safe Harbor’s replacement. Adopted July 2016. Introduced stronger obligations, clearer government access limitations, and a new Ombudsman mechanism for EU complaints. [1] [4]

Invalidated July 16, 2020 by the CJEU in Data Protection Commissioner v. Facebook Ireland (Schrems II). Same plaintiff, same core argument: U.S. surveillance laws (particularly FISA Section 702) still compromised European data privacy. The court found the Ombudsman mechanism lacked independence and binding authority. [1] [4]

EU-US Data Privacy Framework (2023-present)

Adopted July 10, 2023 by the European Commission. Built on Executive Order 14086 (signed by President Biden, October 2022), which introduced new safeguards on U.S. intelligence activities. Companies with existing Privacy Shield certifications had until October 10, 2023 to recertify under the new framework through dataprivacyframework.gov. [6] [7]

The DPF survived its first legal challenge in 2025. However, Schrems’s organization (noyb) has signaled intent to challenge the framework again, and legal analysts widely expect a Schrems III case. [4]

The FTC Enforcement Gap

The Federal Trade Commission enforces the frameworks — but the enforcement record reveals a structural problem.

The FTC brought 39 enforcement actions under Safe Harbor across its entire 15-year lifespan (2000-2015). Additional actions followed under Privacy Shield. But the overwhelming majority of these actions were for lapsed certifications or false claims of participation — not for substantive privacy violations. [8] [9]

The FTC’s own language is telling: enforcement actions against companies with lapsed certifications carry the explicit caveat that the action “does not necessarily mean that the company committed any substantive violations of the privacy principles.” The FTC enforces the paperwork, not the protection. [10]

The enforcement pattern:

  • First wave (2009): 6 companies settled for lapsed certifications [10]
  • Second wave (2014): 12 companies settled for lapsed certifications [10]
  • Third wave (2015): 13 companies settled — 7 for lapsed certifications, 6 for claiming certification they never actually applied for [11]
  • Privacy Shield actions (2017-2019): Multiple rounds of enforcement, primarily for false or incomplete certification claims [8] [9]
  • Warning letters: FTC sent warning letters to 13 companies still claiming Safe Harbor participation after it was replaced by Privacy Shield [12]

One of the companies caught in the 2015 enforcement wave was Jubilant Clinsys, Inc. — a clinical research organization. A clinical trial company falsely claimed Safe Harbor certification for transatlantic data transfers. This is directly relevant to the investigation’s clinical trial pipeline (TrialSpark/Formation Bio). [11]

The ratio problem: Thousands of companies held Safe Harbor and Privacy Shield certifications. The FTC brought 39 actions under Safe Harbor across 15 years. Approximately 5,000 companies were certified at any given time. The enforcement rate was roughly 0.5% per year — and almost all actions addressed paperwork lapses, not actual data protection failures. [8]

Companies in This Investigation

23andMe

23andMe holds current certification under the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-US DPF. Their EU privacy notice states they “adhere to the EU-US Data Privacy Framework Principles” and have certified through the U.S. Department of Commerce. [13]

The breach: In October 2023 — the same year the DPF was adopted and the same month as the DPF recertification deadline — 23andMe confirmed a data breach exposing approximately 6.9 million customer profiles. The breach was caused by credential stuffing (reusing stolen passwords from other breaches). The stolen data was specifically targeted by racial and ethnic background — with datasets labeled as Jewish and Chinese ancestry profiles advertised for sale on the dark web by a threat actor using the handle “Golem.” [14] [15]

The joint Canada/UK investigation found: [14] [15]

  • Password policy required only 8 characters (below industry standards of 10+)
  • No robust checks for compromised/reused credentials
  • No additional identity verification for accessing raw DNA data
  • Detection systems failed to alert 23andMe to clear credential stuffing signals
  • 23andMe received early warning messages through its customer portal, opened an IT ticket, then closed it, believing the issue was a hoax
  • The breach ran from April to September 2023 — five months of active attack before the company acknowledged it
  • UK ICO fined 23andMe 2.31 million pounds ($3.1 million)

The timing convergence: 23andMe self-certified under the DPF in 2023. The breach was actively occurring during the April-September 2023 credential stuffing campaign. The company held certification asserting adequate data protection while its detection systems were failing to identify a months-long attack on its most sensitive data — genetic information. The certification did not prevent the breach, did not detect the breach, and did not mitigate the breach.

The investigation connection: Our 23andMe profile documents that the 23andMe/TrialSpark partnership was announced September 26, 2019, with an RFP deadline of November 15, 2019. Prior investigation sessions documented that 23andMe and TrialSpark received Safe Harbor certifications in the same window. 84% of 23andMe’s 15 million customers opted into the research program, meaning their genetic data was being commercially shared with pharmaceutical partners — including GSK’s $350 million deal that produced ONE compound reaching Phase I in seven years. The data breach exposed the same population whose genetic information was being monetized through the clinical trial partnership pipeline. [16]

Worldcoin / Tools for Humanity — The Biometric Data Transfer Problem

Worldcoin (now rebranded as “World”) collects iris scans — biometric data that falls under GDPR’s strictest protections as special category data (Article 9). Rather than using the DPF self-certification framework, Worldcoin has attempted a different strategy: claiming its data processing architecture achieves anonymization, which would exempt it from GDPR entirely. [17]

Multiple EU regulators have rejected this claim:

  • Germany (Bavaria): The Bavarian State Office for Data Protection Supervision (BayLDA) — Worldcoin’s lead EU regulator since its headquarters are in Erlangen — investigated since April 2023 and ordered stricter data protection measures. BayLDA president stated: “We are enforcing European fundamental rights standards.” The regulator found Worldcoin does not comply with GDPR. [18] [19]
  • Spain: The AEPD temporarily banned Worldcoin from collecting iris biometrics (March 2024), using GDPR “urgency procedure” powers. Worldcoin sued the regulator. [20]
  • Portugal, France: Both countries’ data authorities have questioned Worldcoin’s GDPR compliance. [21]
  • Kenya: Suspended operations entirely pending investigation. [16]

The consent form problem: Worldcoin’s own biometric data consent form contained a bolded warning that users who “sign-up with an Orb” would not be able to have their iris code deleted: “We will create a unique Iris Code that cannot be deleted anymore (if we were to delete it, the proof of uniqueness would not work).” This directly conflicts with GDPR Article 17 (right to erasure). You cannot simultaneously claim GDPR compliance and tell users their biometric data is permanent. [22]

The corporate restructuring defense: Worldcoin has restructured its data controller designation multiple times. Initially, the Worldcoin Foundation was the data controller. Then Tools for Humanity GmbH (the German subsidiary) was designated as sole data controller for EU operations. Then Worldcoin introduced “AMPC” (Anonymized Multi-Party Computation), arguing that data is anonymized once it leaves the Orb device, which would remove GDPR applicability entirely. Spain’s regulator found the documentation insufficient to resolve questions about the system’s risk profile. [17] [20]

Worldcoin is now pivoting away from Europe rather than achieving compliance — expanding operations in Latin America, Africa, and Asia where biometric privacy regulation is less developed. [21]

OpenAI

OpenAI’s security page references “safe harbor” only in the context of its bug bounty program (providing legal safe harbor for security researchers). OpenAI’s transatlantic data transfer mechanisms for ChatGPT user data, API customer data, and training data sourced from EU websites require separate investigation. [23]

The Self-Certification Structural Problem

All three EU-US frameworks share the same fundamental architecture: self-certification with retroactive enforcement. This creates four structural incentive failures:

1. The certification is the product, not the compliance. A company needs the certification to receive EU data. The certification is obtained by filing paperwork. The paperwork asks the company to attest to its own compliance. No mechanism verifies the attestation when it is made.

2. The FTC enforces form, not substance. 39 enforcement actions across 15 years and thousands of certified companies. Almost all for lapsed paperwork, not for actual data protection failures. The 23andMe breach — 6.9 million genetic profiles stolen while the company held current certification — did not result in an FTC Safe Harbor/DPF enforcement action. The ICO (UK) fined them. The Canadian privacy commissioner investigated. The FTC’s DPF enforcement was not the mechanism that caught the failure.

3. Recertification is annual but not audited. Companies submit updated paperwork each year. No independent assessor verifies the claims. A company can recertify annually while its password policy requires only 8 characters and its detection systems dismiss active attacks as hoaxes.

4. Certification creates false legal assurance. EU businesses transferring personal data to a certified U.S. company rely on the certification as legal proof of adequate protection. When the underlying compliance is not verified, the certification functions as a legal shield for the data collector, not a privacy guarantee for the data subject.

The Pattern: Certification, Monetization, Breach

The conjecture that Safe Harbor/DPF certifications correlate with data breaches finds structural support:

Companies that need certification handle large volumes of EU personal data. Large data volumes are inherently more attractive to attackers and more valuable for commercial monetization. The certification enables collection at scale without verification at scale.

The 23andMe cycle: Certified compliance (self-attested) -> collected genetic data from EU citizens -> monetized data through pharma partnerships ($350M GSK deal, TrialSpark partnership) -> failed to implement basic security (8-character passwords, no MFA for DNA access, dismissed breach warnings as hoaxes) -> data stolen and ethnically targeted -> company entered bankruptcy -> assets acquired by founder’s nonprofit at 91% discount -> DPF certification presumably transfers to acquiring entity.

The certification framework did not cause the breach. But it created the legal permission structure that enabled transatlantic genetic data collection at scale, without the corresponding verification structure that would have caught the security failures before 6.9 million profiles were stolen and sold on the dark web organized by ethnicity.

Nodes and Open Questions

  1. Does Formation Bio / TrialSpark hold DPF certification? Clinical trial data from European participants would require DPF certification or alternative transfer mechanisms. If Formation Bio conducts trials in or with EU partners, what is its data transfer framework?
  2. The same-window certification timing: Prior investigation sessions documented that 23andMe and TrialSpark received Safe Harbor certifications in the same window. Exact dates need verification from dataprivacyframework.gov. If certification was obtained specifically to enable the September 2019 partnership, the certification becomes a deal prerequisite rather than a privacy commitment.
  3. 23andMe’s certification status post-bankruptcy: When TTAM acquired 23andMe’s assets, did the DPF certification transfer? Does a new entity inheriting a breached company’s data inherit its privacy obligations? The EU privacy notice still lists 23andMe, Inc. as the certified entity.
  4. Jubilant Clinsys: A clinical research organization caught in the FTC’s 2015 Safe Harbor enforcement wave. What was the nature of their clinical data transfers? Were clinical trial participants’ data affected? Is there a pattern of clinical trial companies using Safe Harbor certification to transfer patient data transatlantically?
  5. Worldcoin’s right-to-erasure conflict: The consent form states iris codes “cannot be deleted anymore.” GDPR Article 17 guarantees the right to erasure. How does Worldcoin reconcile these? The AMPC anonymization argument has not been accepted by any EU regulator to date.
  6. Schrems III: If the DPF is invalidated like its predecessors, every certified U.S. company loses its legal basis for holding EU personal data. What happens to 23andMe’s database? To Worldcoin’s iris codes? To clinical trial data held by Formation Bio or its partners?
  7. The FTC enforcement ratio: ~5,000 certified companies. 39 enforcement actions over 15 years. Approximately 0.5% annual enforcement rate. Almost all for paperwork violations, not substantive data protection failures. Is this adequate enforcement for a framework that governs the personal data of hundreds of millions of EU citizens?

Sources

  1. [Archive] (https://www.congress.gov/crs-product/R46724)
  2. [Archive] (https://legalclarity.org/safe-harbor-privacy-and-the-eu-us-data-privacy-framework/)
  3. [Archive] (https://www.ftc.gov/business-guidance/privacy-security/us-eu-safe-harbor-framework)
  4. [Archive] (https://www.rstreet.org/commentary/the-rise-and-fall-of-the-safe-harbor-privacy-treaty/)
  5. [Archive] (https://medium.com/golden-data/the-schrems-legacy-rethinking-eu-us-data-transfers-b9b0edbff8c9)
  6. [Archive] (https://cookie-script.com/privacy-laws/2023-eu-us-data-privacy-framework)
  7. [Archive] (https://verasafe.com/blog/data-privacy-framework-frequently-asked-questions/)
  8. [Archive] (https://www.ftc.gov/news-events/news/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed-participation-eu-us-privacy-shield)
  9. [Archive] (https://www.wilmerhale.com/en/insights/blogs/WilmerHale-Privacy-and-Cybersecurity-Law/20191209-ftc-steps-up-privacy-shield-enforcement-actions)
  10. [Archive] (https://www.hoganlovells.com/en/publications/ftc-settles-safe-harbor-enforcement-actions-with-six-companies)
  11. [Archive] (https://www.ftc.gov/news-events/press-releases/2015/08/thirteen-companies-agree-settle-ftc-charges-they-falsely-claimed)
  12. [Archive] (https://www.ftc.gov/news-events/news/press-releases/2019/06/ftc-takes-action-against-companies-falsely-claiming-compliance-eu-us-privacy-shield-other)
  13. [Archive] (https://www.23andme.com/en-eu/legal/eu-privacy-notice/)
  14. [Archive] (https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2025/pipeda-2025-001/)
  15. [Archive] (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/23andme-fined-for-failing-to-protect-uk-users-genetic-data/)
  16. Prior investigation sessions — 23andMe profile, TrialSpark partnership, Worldcoin documentation
  17. [Archive] (https://world.org/faqs)
  18. [Archive] (https://www.biometricupdate.com/202412/world-does-not-comply-with-gdpr-says-german-regulator)
  19. [Archive] (https://idtechwire.com/german-regulator-orders-worldcoin-to-delete-biometric-data-over-gdpr-violations/)
  20. [Archive] (https://ppc.land/spains-data-regulator-warns-worlds-iris-scan-operator-over-gdpr-risks/)
  21. [Archive] (https://www.biometricupdate.com/202410/worldcoin-pivots-away-from-europe-amid-tangle-of-gdpr-problems)
  22. [Archive] (https://techcrunch.com/2023/07/28/world-gdpr-concerns/)
  23. [Archive] (https://openai.com/security-and-privacy/)
  24. [Archive] (https://fastercapital.com/content/Information-Privacy–Safe-Harbor–Safeguarding-Information-Privacy.html)
  25. [Archive] (https://www.americanbar.org/groups/litigation/committees/commercial-business/articles/2016/the-us-eu-privacy-safe-harbor-is-invalid/)
  26. [Archive] (https://www.eff.org/deeplinks/2015/10/europes-court-justice-nsa-surveilance)