The Swiss Data Protection and Information Commissioner (FDPIC) recently announced that the U.S.-Swiss safe harbor is “no longer sufficient” to legitimize otherwise invalid data transfers into the United States. See our client alert for more information about the ruling by the European Court of Justice (ECJ), which predates this Swiss statement. In its announcement, the FDPIC recommended that companies rely on “contractual guarantees” as allowed for in the Swiss Data Protection Act.
In a follow-up to the ECJ decision, the European Commission recently released guidance on the impact of the U.S.-EU safe harbor’s removal and available alternatives. The Commission noted that companies have three alternative methods to legally transfer data into the U.S. First, companies may use standard clause contracts, detailed here, which are binding across the EU. Second, companies may adopt binding corporate rules, which require ratification in individual EU member states. Finally, companies might also base data transfers on several derogations in EU data protections laws, such as unambiguous consent, necessity for contract performance, and the exercise of legal claims.
The Commission also provided an update on ongoing negotiations with the U.S. regarding creating a long-term data transfer framework. The Commission previously indicated that EU data protection agencies will not begin enforcement actions against companies that relied on the U.S.-EU safe harbor until February 2016 and stated in its guidance that it hopes to finalize a long-term framework with the U.S. by the end of that grace period. Until the new framework is in place, the Commission recommends companies work independently to legitimize their data transfers by complying with one of the alternative grounds for data transfers listed above. The Commission has recently been cited as indicating that a replacement safe harbor program would be finished by the end of January 2016.
Tip: As the U.S. and EU work to craft a long-term solution, companies both transferring data into the U.S. and receiving data from Europe should think carefully about the legal basis for their transfers.