Safe Harbor Framework invalidation : recommandations for Switzerland

I.  Introduction

In a decision dated October 6th, 2015, (Case Max Schrems vs Facebook) the European Union Court of Justice invalidated the Safe Harbor Framework, which had permitted U.S. companies to comply with EU restrictions on the transfer of personal data outside the EU.  As a non EU country, Switzerland concluded the “US-Swiss Safe Harbor Framework” (“Swiss SHF”) which is the equivalent to EU safe Harbor. This decision creates a real legal vacuum for around 4,500 companies which were relying on the Safe Harbor Framework to transfer data to the USA, which also applies in Switzerland.

Read this good article that summarizes the context of the decision, the legal issues and the proposed recommendations for multinational companies in EU.

II.  Communication from the Swiss Commissioner

In his latest communication (in French), dated October 22nd, 2015, the Swiss Federal Data Protection and Information Commissioner considers that the Swiss SHF is not a sufficient legal basis any more and recommends to all Swiss companies to amend their contracts with US corporations to include provisions which guarantee an adequate level of data protection.

In addition, the Commissioner recommends to Swiss corporations, by January 2016, to

  • promptly and expressly inform all data subjects of a possible access to their data by US authorities; and
  • include provisions in their agreements to support data subjects in implementing adequate measures to ensure sufficient legal protection, execute corresponding procedures and accept any effective decision from an authority.

The Commissioner reminds that any individual is entitled to require a civil Court to examine the validity of each data transfer.

III.  Conclusion

With this decision, data transfer to the USA is not illegal provided that companies complies with the above mentioned recommendations and update the provisions in their agreements with sufficient guarantees that measures are taken to ensure data security.

However, the United States have been clearly considered as a country where the level of security related to data is not adequate due to US regulations allowing mass-surveillance. This is a direct consequence of the Edward Snowden revelations. Therefore, as long as companies comply with their obligations to ensure adequate protection measures and inform individuals of a potential access of their data by the US authorities, data transfer shall remain valid.

In Europe, Article 29 Group (G29) has required EU institutions to renegotiate a new Safe Harbor Framework, compatible with EU laws, within 3 months from the decision of the European Court. Given the number of companies that are subject to this decision, this would be very interesting to follow.