In October 2015, the European Court of Justice declared the previously valid Safe Harbor agreement for transatlantic data transfer to be invalid. On February 2, 2016, it became clear that the two negotiating parties would work on a follow-up agreement. In the meantime, legal uncertainty prevails. Not only can data protection authorities submit further claims, the new Privacy Shield agreement still has to be passed by the EU states and the EU parliament.
What has happened up to now
In its October 6, 2015 ruling, the European Court of Justice (ECJ) upheld the claim of an Austrian data protection activist. The judges decided that the Safe Harbor agreement that was in place at that time did not offer sufficient protection. As a result the agreement, which legitimized the transfer of personal data between the EU and the USA, became invalid. The ECJ based its decision on the fact that as part of its extremely extensive government monitoring, the USA also scans data from EU citizens, who did not have recourse to legal action against the government accessing the data. At the end of January, the grace period that was set for renegotiating the agreement expired. Only on February 2, 2016, did the head EU negotiators present the results. They announced that a new agreement had been negotiated – the Privacy Shield.
Some facts about the new agreement have already been communicated. The following items are to be regulated:
• In the future, the US Department of Commerce will audit and monitor US companies that process data from Europe.
• The US companies must adhere to the new binding principles and can be subject to sanctions if they do not comply.
• An ombudsman will be assigned to resolve complaints of privacy breaches due to personal data being used unlawfully by intelligence authorities.
• An alternative dispute resolution mechanism is to be introduced that allows EU citizens to stop misuse of their data.
• The EU and the USA will annually audit compliance with the agreement.
The USA evidently did not make far-reaching concessions such as excluding the data of EU citizens in their mass surveillance. In data protection circles, the new agreement is seen more as temporary solution rather than an effective agreement to protect privacy.
Although the Privacy Shield agreement will be ready in three months time, it first has to be approved by the EU states and the EU parliament. A new ruling by the European Court of Justice is also possible. And the court’s critical stance with respect to the USA’s data protection efforts is well known.
Continuing legal uncertainty
The situation for companies remains uncertain. The current legal framework no longer meets data protection requirements and can still be challenged in a civil court. The new Privacy Shield agreement raises many questions, and a consensus and a new agreement are still not within reach.
Special case Switzerland
The Federal Data Protection and Information Commissioner (FDPIC) recommends the following to Swiss companies: “Until a new agreement has been negotiated with the US government, the Safe Harbor agreement also in Switzerland no longer provides a sufficient legal basis for data protection compliant transfer of personal data to the USA. In the meantime, the FDPIC recommends negotiating contractual guarantees under the Swiss data protection act (DSG, Article 6(2)(a) for sharing data with US companies. Even though this does not solve the problem of mass surveillance by authorities, it does improve the level of data protection.”
The currently valid US-Swiss Safe Harbor Framework is not directly suspended, but after the EU negotiations are complete the Swiss Federal Council will work on a parallel agreement to the new Privacy Shield. Data transfer between the EU and Switzerland remains legal since Switzerland meets EU data protection requirements. More information is available at this link. Switzerland still has key advantages as a location for company data – for companies in the EU, the USA, and Switzerland.
The announcement of the new Privacy Shield agreement does not eliminate the prevailing legal uncertainty regarding foreign data storage locations or data transfers. Planning security and investment protection are still absolutely necessary, especially for multinational companies, because planning a data center strategy is a long-term undertaking. Switzerland remains a reliable and stable location for storing data.