The Court of Justice of the European Union (CJEU) held in its decision of 6 October that the U.S./EU Safe Harbor Agreement (the Agreement) does not provide an adequate level of data protection and it is therefore invalidated. The decision affects around 5000 U.S. companies that are self-certified under the Agreement, and their European partners and customers that rely on the Agreement for data transfers into the U.S.
The decision stands against the background of the well- known dispute between Maximilian Schrems and the Ireland’s Data Protection Authority (DPA). Mr Schrems, a Facebook user since 2008, requested the DPA to prohibit the transfer of his personal data from Facebook Ireland to Facebook in the U.S.; arguing that U.S. does not provide adequate protection of his personal data, in view of the U.S. surveillance activities that came into light in recent years, in particular through facts revealed by Edward Snowden. The DPA rejected the complaint on the grounds that the EU Commission had found in its decision 2000/520/EC of July 26, 2000 that the Agreement establishes an adequate level of protection. In its decision the CJEU first established that the EU Commission’s adequacy finding does not restrict the powers of national data protection authorities to control the transfer of personal data to third countries, and data protection authorities must be able to establish, when assessing a complaint, if a particular data transfer meets the requirements set out in the Directive 95/46/ EC. In addition, the CJEU reviewed the validity of decision 2000/520/EC. The decision was found invalid primarily for two reasons: the principles of the Agreement do not apply to U.S. authorities, who are not restricted by the Agreement in their activities, and the Agreement does not apply “to the extent necessary to meet national security, public interest or law enforcement requirements”.
The decision is likely to have a significant impact on the transfer of personal data from the EU to U.S. recipients. Transfers must either be authorized by national data protection authorities, or be able to rely on one of the legal exceptions.
Similarly to the Agreement, there is a U.S./Swiss Safe Harbour Agreement (the Swiss Agreement) for data transfers from Swiss entities to certified U.S. recipients. Under Swiss law, however, it is an established rule that any Swiss court or authority (for example, the Federal Data Protection and Information Commissioner, FDPIC) isto determine if a particular data transfer to a recipient abroad is lawful, despite any adequacy finding. Moreover, the FDPIC or any other Swiss court or authority is not bound by the CJEU decision of 6 October 2015. Therefore, the Swiss Agreement is not directly affected by this decision, and personal data may continue to be transferred to U.S. certified recipients for the time being. In addition, most U.S. recipients of personal data act in a processor capacity, and Swiss data controllers are therefore required pursuant to Swiss law to enter into a controller/ processor agreement. Typically such agreements will be sufficient under Swiss law to permit transferring personal data to a U.S. recipient, even without relying on the Swiss Agreement.
There is therefore no need for Swiss entities to suspend ongoing data transfers to U.S. recipients, at least where there are controller/processor agreements. Moreover, there is no requirement to notify the FDPIC of such agreements for as long as the Swiss Agreement is not formally invalidated by the FDPIC or a Swiss court. For upcoming transfers, it is advisable for Swiss entities to establish contractual safeguards and notify these safeguards to the FDPIC, or explore alternative exemptions.