Home Content Area
After the Safe-Harbor judgment: information on data transfers to the USA
In its judgment issued on 6 October 2015, the European Court of Justice declared the Safe Harbor data protection agreement between Europe and the USA to be invalid. The ECJ held that the transmission of personal data to the USA under the Safe Harbor Agreement regime is problematic. What are the implications for Switzerland?
In its judgment of 6 October 2015 in case C-362/14 (Schrems), the European Court of Justice (ECJ) overturned the decision of the Commission that the United States of America guarantees an adequate level of protection for transferred personal data. Making express reference to the disclosures made by the former employee of the U.S. National Security Agency, Edward Snowden, the ECJ held that, in the case of data that is transferred to the USA under the so-called Safe-Harbor Agreement, there is inadequate protection against unreasonable access by the authorities. In addition, persons outside the USA have no effective judicial protection against such access.
Switzerland concluded a comparable agreement with the USA in 2008 with very similar content, the US-Swiss Safe Harbor Framework. We have therefore analysed the current situation as regards data transfers to the USA and concluded that the shortcomings identified by the European Court of Justice also apply to the US-Swiss Safe Harbor Framework.
The US-Swiss Safe Harbor Framework is a system of self-certification for businesses that wish to import data from Switzerland into the USA. The data protection guarantees that it contains only bind the certified businesses themselves, but not state authorities. There are no other domestic or contractual rules that restrict authorities' access to this data; on the contrary: certain domestic regulations permit the storage of personal data by the US authorities without any differentiation, limitation or exception being made with regard to access or use. As a result, there is no adequate protection to prevent US authorities from gaining unjustifiable access to personal data transferred from Switzerland to the USA.
These circumstances were not the focus of the review made in 2008 of the required guarantees in the US-Swiss Framework. At that time, it was assumed in good faith that the practices of authorities for processing personal data in both countries was comparable, and thus no need was seen for regulation. As a result of the Snowden leaks, however, clear discrepancies have come to light in the attitudes of the two countries as to what should be permitted in order to safeguard national interests. There are therefore serious doubts as to whether the practices of the US intelligence services with regard to accessing the personal data of non-US citizens can be regarded as reasonable. In addition, it has been shown that certified US businesses normally accede to requests for access from the US authorities immediately, without taking account of the guarantees under the Safe Harbor Framework.
Furthermore, the measures relating to the judicial protection of the persons concerned contained in the Framework only bind the certified businesses themselves. This means that persons outside the USA have no effective judicial protection against the authorities' access. These persons therefore have no means under due process of law of contesting the processing of their data by the US authorities.
Even if the decision by the European Court of Justice does not directly affect the Swiss framework, the FDPIC takes the view that Switzerland cannot continue with its own framework without making changes, given the events that have now come to. Instead, it must be ensured that Switzerland provides those affected by the risks outlined above with instruments to safeguard their fundamental rights that are not inferior to the level of data protection afforded by the EU. In particular, the situation must be avoided whereby the new agreements between the EU and the USA can be circumvented by an EU-Switzerland-USA data transfer. It is of major political and economic importance for both Switzerland and the EU that mutual recognition of an appropriate level of data protection continues.
Nor can the remaining option for achieving an adequate level of protection in data transfers with the USA by means of contractual guarantees (under Art. 6 para. 2 of the Data Protection Act) prevent unreasonable access to personal data by the US authorities, because a contract of this type between exporters and importers is not binding on the authorities.
Given that the Federal Council is responsible for concluding international agreements on data protection, clarity can only be achieved at a political level. In our report to the Federal Council dated 23 October 2015, we have therefore recommended that the US-Swiss Safe Harbor Framework be renegotiated so that it meets the requirements of Swiss data protection law. As a joint approach with the EU and its member states is the most expedient option, Switzerland should coordinate its action with the relevant European Union authorities. On 16 December 2015, the Federal Council also made the State Secretariat for Economic Affairs (SECO) responsible for the further work required in connection with the conclusion of a new agreement that better protects the privacy rights of the persons concerned. This work, which must be coordinated with the EU's own efforts, is currently underway.
In the meantime, a follow-up agreement between the EU and US entered into force. The so-called "Privacy Shield" exhibits significant improvements compared to the „Safe Harbor" Agreement. In light of an as equivalent as possible pan-European data protection level, the FDPIC considers an analogous regulation for Switzerland desirable and thus supports the ongoing efforts of the Federal Council in this regard.
As data exchange with businesses in the USA cannot simply be interrupted until the situation is clarified, the businesses concerned must introduce their own additional safeguards for the time being. The most obvious option is contractual guarantees. Even though, as already mentioned, these guarantees cannot entirely solve the problem of unreasonable access by the authorities, they should provide a better level of data protection than the guarantees under the US-Swiss Safe Harbor Framework. We therefore recommend that the following should also be regulated contractually:
- If access to personal data by US authorities cannot be restricted or prevented, this deficiency should be mitigated to some degree at least by imposing higher requirements of transparency in data processing. The persons concerned should therefore be informed clearly and as comprehensively as possible that their data is being transferred to the USA and the authorities there may have access to it.
- The persons concerned should receive a reasonable degree of support in asserting their rights in the USA. Requests for access from US authorities should not be granted indiscriminately. Instead, the businesses concerned should make use of the procedures available to them to prevent such access and then accept the decisions made.
It should be noted that the persons concerned in Switzerland always have the option of having a planned data transfer to the USA assessed by civil court here. In such cases, the data transfer should be delayed until a legally binding judgment has been issued.
Further information is available on our website.
Last updated on: 25.08.2016
End Content Area