There are some limits, but it's ironic that "Safe Harbor" was declared invalid by the highest European court for supposedly allowing this. Now the replacement explicitly allows it!
How so? The fourth bullet point of the EU-US Privacy Sheild Framework Fact Sheet reads:
The U.S. Federal Trade Commission (FTC) has committed to work closely with the DPA to provide enforcement assistance, which, in appropriate cases, could include information sharing and investigative assistance pursuant to the U.S. SAFE WEB ACT.
The US Safe Web Act
[A]llows increased cooperation with foreign law enforcement authorities through confidential information sharing, provision of investigative assistance, and enhanced staff exchanges. In certain limited circumstances it enables the FTC to obtain information in domestic or foreign consumer protection matters from third parties without tipping off investigative targets.
So the US Federal Trade Commission can obtain information without alerting the people being observed and share it. That's a pretty good definition of "spying." Having the one agreement reference the other by name means that the EU-US Privacy Shield doesn't have this language in it anywhere, but still effectively guarantees the right to spy.
As an aside, if someone knows where the now defunct "Safe Harbor" agreement allows spying, I hope you will point me to it. I thought I was familiar with that legislation and was not aware of any explicit "spying allowed" clause. I always thought the agreement that allowed the US and UK to spy on each other was the "Five Eyes" alliance created in the 1940's, but that didn't seem to get any press.