On 6 October this year the European Court of Justice declared that the European Commission’s ‘Safe Harbor’ decision (2000/520) of 2000 − which found that the United States afforded an adequate level of protection of personal data − was invalid.
Safe Harbor Framework
This Safe Harbor Framework was one of a number of legal bases allowing the transmission of personal data from the EU to the United States to the 5,500 or so US entities self-certified under the Safe Harbor scheme. With this legal basis no longer valid, data transfer now has to be put on another basis, as stipulated in Article 26 of EU Directive 95/46/EC.
Declaration of invalidity
One of the reasons for the European Court of Justice’s declaration of invalidity is that personal data are not afforded adequate protection because the Safe Harbor Framework does not sufficiently limit the US government’s ability to infringe on the fundamental rights of individuals for reasons of national security and the public interest, and that it even gives these aims precedence over the safe harbor principles. There are thus not adequate safeguards in place to ensure that personal data will only be accessed if this – in terms of the European interpretation – is necessary and proportionate. As evidence of disproportionate use of personal data by government authorities it points to the PRISM programme exposed by Edward Snowden.
Implications for Switzerland
This European Court of Justice decision does not have any direct consequences for Switzerland for the time being. Switzerland and the United States have their own Safe Harbor arrangement – albeit virtually identical to the US/EU agreement – that currently affords an adequate level of data protection for around 3,900 self-certified US entities. However, it seems likely that the turmoil in Europe will also spill over into Swiss data protection, and that the Swiss Federal Data Protection and Information Commissioner (FDPIC) will also conclude that the Swiss Safe Harbor Framework no longer meets the requirements of Swiss data privacy law. In its initial opinion, the FDPIC indeed expressed the view that the European Court of Justice’s decision also calls the agreement between Switzerland and the United States into question, and that as far as Switzerland is concerned, in the event of renegotiation only an internationally coordinated approach that includes the EU would be appropriate.
On 22 October the FDPIC found that the Safe Harbor Framework between Switzerland and the United States no longer constitutes an adequate legal basis for data transfer to the United States. Swiss companies that transfer data to the United States on the basis of the Safe Harbor Framework must contractually agree guarantees assuring adequate levels of data protection with the US entity by the end of January 2016. While this will not solve the problem of disproportionate interference by the authorities, it will enable the level of data protection to be improved somewhat. In addition, persons affected must be given clear and comprehensive information, especially regarding the possibility that the data could be accessed by the authorities