What does the rejection of the Safe Harbour Agreement in the EU mean for the Swiss university community? A legal analysis.
From a European and Swiss standpoint, the data-protection provisions in force in the USA are inadequate. Those parties who nevertheless sought to exchange data with US companies were able to do this based on the "Safe Harbour" agreement. In one of its decisions, the EU Commission, which acts as the EU’s executive body, had stated that the "Safe Harbour" arrangement provided the appropriate level of data protection required by law. The Court of Justice of the European Union (CJEU) now rejects that decision. While its judgment is not binding on Switzerland and its universities, it may nevertheless send an important message. All the same, universities need not act rashly: The cantonal data-protection officials have issued few statements to that effect so far. And the judgment has no effect on the SWITCH agreements in this respect since SWITCH always attempts to conclude special agreements on data handling with US providers.
In a judgment of 6 October 2015, the Court of Justice of the European Union (CJEU) provisionally did away with the so-called Safe Harbour Agreement between the EU and the USA as the basis for the transfer of personal data to the USA. The judgment caused quite a stir and was the subject of widespread commentary even outside legal circles. But what does this decision actually mean at this point for Switzerland and, in particular, for Swiss universities? Our General Counsel has analysed the facts.
From the perspective of the EU as well as Switzerland, the USA lacks an adequate level of data protection: Its legislation is viewed as lax and its legal protection as largely ineffective. In order for the EU and Switzerland to nevertheless exchange data with US companies, the EU Directive 65/46/EC currently in force and the applicable Swiss data-protection laws require that certain additional preconditions be fulfilled. Thus far, one option for transmitting data to the USA was the Safe Harbour Principles, which relate to self-certification for US companies. These principles were negotiated between the EU and the USA (the EU-US Safe Harbour Agreement), while an equivalent legal framework exists between Switzerland and the USA (the CH-US Safe Harbour Agreement). In one of its decisions, the EU’s executive body, the Commission, had stated that the Safe Harbour Principles provided the appropriate level of data protection for the transfer and processing of data. The CJEU has now vacated that decision on the basis that these principles do not fulfil the requirements of EU law and are thus invalid (for the relevant legal details, see the box titled "The CJEU’s rationale").
An important argument made by the CJEU consisted in the disproportionate structuring of access to personal data by US authorities. While not only the USA but other States also allow for highly invasive access to personal data by intelligence agencies (in Switzerland, for example, the bill on the new Intelligence Agencies Act (Nachrichtendienstgesetz, NDG) has received harsh criticism for this reason); the CJEU judgment nevertheless relates only to the Safe Harbour and thus to the transfer of data to the USA.
The judgment has no binding effect on Switzerland; furthermore, the Swiss Federal Council recently announced that, at present, Switzerland does not in fact intend to terminate the CH-US Safe Harbour Agreement. Nonetheless, most of the conclusions reached by the CJEU can also be applied to Swiss law. Accordingly, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced in a number of statements that, in Switzerland too, the CH-US Safe Harbour has now ceased to provide an adequate basis for transferring data to the USA. Consequently, for purposes of transferring data to the USA, the FDPIC recommends, first of all, relying increasingly on the "EU Model Clauses" (standard contract clauses on data processing) or on individual contractual agreements. Second, affected persons should be properly notified regarding instances of access by the authorities. How exactly such notification is to be made remains unclear, however. Bear in mind that the FDPIC’s opinion is not binding; an identical court judgment would be required in order to make it legally effective.
If Switzerland endorses a renegotiated arrangement, there is no reason why the revised CH-US Safe Harbour Agreement should not be used in future as the basis for the transmission of data.
Using the standard contract clauses makes it possible to prevent the consequences of any future cancellation or termination of the CH-US Safe Harbour Agreement. It is important to note, however, that this does not solve the problem of the accesses by authorities in the USA. Moreover, it may not even be necessary to renegotiate all existing contracts at once: In the course of the CJEU judgment, the renegotiation of the Safe Harbour Principles, which began in 2013, should now be expedited and concluded between the EU and the USA. If Switzerland endorses a renegotiated arrangement, there is no reason why the revised CH-US Safe Harbour Agreement should not be used in future as the basis for the transmission of data.
For Swiss universities, the situation is as follows: With the exception of federal and private institutions, universities are subject to their respective cantonal laws. Accordingly, it may be advisable to rely on any notifications from the competent cantonal data-protection officials. However, as stated above, even these notifications will not become legally binding except upon a court decision to that effect. Thus far, however, the pronouncements have proven sparse:
So it appears that, for the time being, the cantonal agencies are waiting to see what happens at the federal level before making their own recommendations to the public. Thus, universities probably do not need to rush to revise their contracts.
In most cases, universities are legally liable for the personal data of university members. These personal data may be included in two types of situations involving SWITCH contracts with ties to the USA: First, in the case of framework contracts that SWITCHprocure negotiates and concludes and to which universities may become party; and second, for contracting partners based in the USA that are engaged for purposes of providing SWITCH services. The latter are rare.
Microsoft CASA-Agreement: The arguments made in the CJEU decision are not relevant to this agreement. It is an example of an arrangement containing separate provisions on data processing.
An example of the first case is the Microsoft CASA Agreement (Campus and School Agreement) or its new version, which was just signed, as the case may be. In the CASA Agreement, it was agreed with Microsoft that for online services, user data at rest will only be processed in the EU as long as the appropriate contractual option was selected. Furthermore, the contractual scheme is subject to Swiss law and provides for Swiss jurisdiction. The arguments made in the CJEU decision are thus not relevant to this agreement: It is an example of an arrangement containing separate provisions on data processing.
SWITCH will also be closely monitoring future developments—not only in Switzerland, but also in the EU, as these are likewise extremely relevant to the university community. Moreover, we will in future play special attention to data protection as regards all contracts having ties to the USA.