CJEU declares US-EU Safe Harbor Framework to be invalid – Impact on Switzerland
7. October 2015 – By decision of 6 October 2015 the Court of Justice of the European Union (CJEU) declares that the European Commission’s Decision of 26 July 2000 finding that, under the US-EU Safe Harbor Framework, the USA ensures an adequate level of protection of the personal data transferred, is invalid (Judgement C-362/14).
The CJEU further held that where a claim is lodged with the national supervisory authorities in the European Union, the supervisory authorities may, even where the European Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU Directive 95/46/EC (“EU Directive”).
Switzerland and the USA have entered into a separate agreement, i.e. the US-Swiss Safe Harbor Framework (also known as US-Swiss Safe Harbor Agreement), which is however similar to the aforementioned US-EU Safe Harbor Framework. The Swiss Federal Data Protection and Information Commissioner (“Commissioner”) considers the US-Swiss Safe Harbor Framework to provide an adequate level of protection for personal data compared to the Swiss data protection legislation. As a consequence, transfers of personal data from Switzerland to a recipient based in the USA that is certified under the US-Swiss Safe Harbor Framework do – under certain conditions – not require specific additional measures to be taken (see Transferring Personal Data Abroad)
As Switzerland is neither a member of the European Union nor of the European Economic Area, the aforementioned decision of the CJEU does not have any direct impact on the validity of the US-Swiss Safe Harbor Framework. However, it cannot be excluded that in light of the above-mentioned decision the Commissioner and/or the Swiss government may in the future change their view on the US-Swiss Safe Harbor Framework. In addition, transfers of personal data from the EU to a recipient based in Switzerland (which the European Commission currently considers as providing an adequate level of protection) may in practice become an issue for EU based companies if the Swiss recipient is allowed to forward such personal data to US based recipients that are certified under the US-Swiss Safe Harbor Framework without taking any other measures.
In light of the above, individuals and companies based in Switzerland that are transferring personal data from Switzerland to US based recipients according to the US-Swiss Safe Harbor Framework should therefore closely follow any potential developments regarding the approach taken by the Commissioner and/or the Swiss government in this matter. Furthermore, EU based companies as well as Swiss based companies with offices, affiliates and/or subcontractors located in the EU must check if transfers of personal data from such companies, offices, affiliates and/or subcontractors to US based recipients still meet the requirements set forth by the EU Directive and by domestic law. If not, corrective measures must be taken.