US-Swiss Safe Harbor Framework no longer considered adequate for data transfers from Switzerland to the US
22. Oktober 2015 – By decision of 6 October 2015, the Court of Justice of the European Union (CJEU) has declared that the European Commission’s Decision of 26 July 2000 finding that, under the US-EU Safe Harbor Framework, the United States of America (US) ensure an adequate level of protection for personal data being transferred, is invalid (Judgement C-362/14).
As the US-Swiss Safe Harbor Framework is a separate agreement, which is not integrated into and does not form part of the US-EU Safe Harbor Framework, the Judgement C-362/14 does not have a direct impact on Switzerland. The Swiss Federal Data Protection and Information Commissioner (“Commissioner”) has until recently held that, under certain circumstances, no specific measures, such as the conclusion of a data transfer agreement, are required if a data recipient in the US is certified under the US-Swiss Safe Harbor Framework (see also our news).
On 22 October 2015, the Commissioner changed his view on this matter and issued a new statement according to which he does no longer consider the US-Swiss Safe Harbor Framework as a sufficient legal basis for a transfer of personal data from Switzerland to the US.
The Commissioner recommends entering into contractual safeguards (i.e. data transfer agreements) in the sense of Art. 6 para. 2 lit. a. of the Swiss Federal Data Protection Act (DPA). According to the Commissioner, such contractual safeguards must cover in particular the following aspects in addition to the usual content of such data transfer agreements:
- The parties to the transfer agreements must undertake to inform data subjects whose data is transferred to the US comprehensively about possible governmental surveillance by the US authorities;
- The parties to the transfer agreements must undertake to provide data subjects whose data is transferred to the US with the necessary remedies in order to ensure effective judicial protection, to actually conduct such proceedings and to accept court decisions issued based on such proceedings.
The Commissioner requests that companies currently transferring data to companies based on the US-Swiss Safe Harbor Framework make the necessary contractual amendments until the end of January 2016. In addition, the Commissioner has announced that he will evaluate whether further steps are necessary in order to guarantee the fundamental rights in Switzerland. He intends to do so in close cooperation with the European authorities.
Even though it is doubtful that the Commissioner is competent to decide whether the US-Swiss Safe Harbor Framework provides an adequate protection level for the transfer of personal data (the recommendations of the Commissioner are not legally binding and, ultimately, it would be up to the courts to decide), the Commissioner’s new statement factually triggers the following consequences:
- Individuals and companies transferring personal data from Switzerland to the US can no longer rely on the US-Swiss Safe Harbor Framework and must enter into contractual safeguards (i.e. data transfer agreements) until the end of January 2016 at the latest and notify the Commissioner about such contractual safeguards (unless other exceptions set forth in Art. 6 para. 2 DPA apply). In our view, despite the Commissioner’s statement which requires adding additional language, it should however still be possible to use the model contracts for the transfer of personal data to third countries of the European Commission, adapted to Swiss law.
- Until the end of January 2016, individuals and companies transferring personal data from Switzerland to the US must also review and, if necessary, adapt existing privacy policies or similar privacy statements/language contained, e.g. on websites, in general terms and conditions or other contractual agreements, with regard to the requirements stated by the Commissioner.