No More Safe Harbour

What does the rejection of the Safe Harbour Agreement in the EU mean for the Swiss university community? A legal analysis.

Text: Esther Zysset, published on 18.12.2015

Summary for readers in a hurry:

From a European and Swiss standpoint, the data-protection provisions in force in the USA are inadequate. Those parties who nevertheless sought to exchange data with US companies were able to do this based on the "Safe Harbour" agreement. In one of its decisions, the EU Commission, which acts as the EU’s executive body, had stated that the "Safe Harbour" arrangement provided the appropriate level of data protection required by law. The Court of Justice of the European Union (CJEU) now rejects that decision. While its judgment is not binding on Switzerland and its universities, it may nevertheless send an important message. All the same, universities need not act rashly: The cantonal data-protection officials have issued few statements to that effect so far. And the judgment has no effect on the SWITCH agreements in this respect since SWITCH always attempts to conclude special agreements on data handling with US providers.


In a judgment of 6 October 2015, the Court of Justice of the European Union (CJEU) provisionally did away with the so-called Safe Harbour Agreement between the EU and the USA as the basis for the transfer of personal data to the USA. The judgment caused quite a stir and was the subject of widespread commentary even outside legal circles. But what does this decision actually mean at this point for Switzerland and, in particular, for Swiss universities? Our General Counsel has analysed the facts.

Why the Safe Harbour exists and what the CJEU has done

From the perspective of the EU as well as Switzerland, the USA lacks an adequate level of data protection: Its legislation is viewed as lax and its legal protection as largely ineffective. In order for the EU and Switzerland to nevertheless exchange data with US companies, the EU Directive 65/46/EC currently in force and the applicable Swiss data-protection laws require that certain additional preconditions be fulfilled. Thus far, one option for transmitting data to the USA was the Safe Harbour Principles, which relate to self-certification for US companies. These principles were negotiated between the EU and the USA (the EU-US Safe Harbour Agreement), while an equivalent legal framework exists between Switzerland and the USA (the CH-US Safe Harbour Agreement). In one of its decisions, the EU’s executive body, the Commission, had stated that the Safe Harbour Principles provided the appropriate level of data protection for the transfer and processing of data. The CJEU has now vacated that decision on the basis that these principles do not fulfil the requirements of EU law and are thus invalid (for the relevant legal details, see the box titled "The CJEU’s rationale").

How things stand now: In Switzerland...

An important argument made by the CJEU consisted in the disproportionate structuring of access to personal data by US authorities. While not only the USA but other States also allow for highly invasive access to personal data by intelligence agencies (in Switzerland, for example, the bill on the new Intelligence Agencies Act (Nachrichtendienstgesetz, NDG) has received harsh criticism for this reason); the CJEU judgment nevertheless relates only to the Safe Harbour and thus to the transfer of data to the USA.

The judgment has no binding effect on Switzerland; furthermore, the Swiss Federal Council recently announced that, at present, Switzerland does not in fact intend to terminate the CH-US Safe Harbour Agreement. Nonetheless, most of the conclusions reached by the CJEU can also be applied to Swiss law. Accordingly, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced in a number of statements that, in Switzerland too, the CH-US Safe Harbour has now ceased to provide an adequate basis for transferring data to the USA. Consequently, for purposes of transferring data to the USA, the FDPIC recommends, first of all, relying increasingly on the "EU Model Clauses" (standard contract clauses on data processing) or on individual contractual agreements. Second, affected persons should be properly notified regarding instances of access by the authorities. How exactly such notification is to be made remains unclear, however. Bear in mind that the FDPIC’s opinion is not binding; an identical court judgment would be required in order to make it legally effective.

If Switzerland endorses a renegotiated arrangement, there is no reason why the revised CH-US Safe Harbour Agreement should not be used in future as the basis for the transmission of data.

Using the standard contract clauses makes it possible to prevent the consequences of any future cancellation or termination of the CH-US Safe Harbour Agreement. It is important to note, however, that this does not solve the problem of the accesses by authorities in the USA. Moreover, it may not even be necessary to renegotiate all existing contracts at once: In the course of the CJEU judgment, the renegotiation of the Safe Harbour Principles, which began in 2013, should now be expedited and concluded between the EU and the USA. If Switzerland endorses a renegotiated arrangement, there is no reason why the revised CH-US Safe Harbour Agreement should not be used in future as the basis for the transmission of data.

...and for the universities?

For Swiss universities, the situation is as follows: With the exception of federal and private institutions, universities are subject to their respective cantonal laws. Accordingly, it may be advisable to rely on any notifications from the competent cantonal data-protection officials. However, as stated above, even these notifications will not become legally binding except upon a court decision to that effect. Thus far, however, the pronouncements have proven sparse:

  • In the Canton of Zurich, the cantonal Data Protection and Information Commissioner has stated that, for purposes of data transmissions to the USA, the protection measures should be adapted where necessary, specifically by encrypting personal data. However, he does not state which type of encryption he means.
  • At present, a search conducted on the websites of the privacy commissioners of the other major cantons yields no results.
  • As far as we can tell, to date, the Association of Swiss Privacy Commissioners has likewise refrained from making any official statement regarding the effects of the Safe Harbour judgment.

So it appears that, for the time being, the cantonal agencies are waiting to see what happens at the federal level before making their own recommendations to the public. Thus, universities probably do not need to rush to revise their contracts.

What about the SWITCH contracts?

In most cases, universities are legally liable for the personal data of university members. These personal data may be included in two types of situations involving SWITCH contracts with ties to the USA: First, in the case of framework contracts that SWITCHprocure negotiates and concludes and to which universities may become party; and second, for contracting partners based in the USA that are engaged for purposes of providing SWITCH services. The latter are rare.

Microsoft CASA-Agreement: The arguments made in the CJEU decision are not relevant to this agreement. It is an example of an arrangement containing separate provisions on data processing.

An example of the first case is the Microsoft CASA Agreement (Campus and School Agreement) or its new version, which was just signed, as the case may be. In the CASA Agreement, it was agreed with Microsoft that for online services, user data at rest will only be processed in the EU as long as the appropriate contractual option was selected. Furthermore, the contractual scheme is subject to Swiss law and provides for Swiss jurisdiction. The arguments made in the CJEU decision are thus not relevant to this agreement: It is an example of an arrangement containing separate provisions on data processing.

SWITCH will also be closely monitoring future developments—not only in Switzerland, but also in the EU, as these are likewise extremely relevant to the university community. Moreover, we will in future play special attention to data protection as regards all contracts having ties to the USA.

 

About the author
Esther   Zysset

Esther Zysset

Esther Zysset has been General Counsel at SWITCH since 2012. Prior to that, she was a lawyer at a firm specialising in corporate law.

E-mail

The CJEU’s rationale

In its judgment, the CJEU held that it is necessary to examine all of the circumstances for purposes of determining the appropriate level of protection. Over time, however, these circumstances might change—a clear reference to the US surveillance scandal that has taken place in recent years (the Snowden case). According to the CJEU’s rationale, the fact that US law requires certified companies, inter alia, to disregard the Safe Harbour Principles for reasons of national security is problematic. This therefore allows for extensive infringements of fundamental rights. While this fact is not unlawful per se, the Commission’s controversial decision lacks references to any rules of US law that might restrict these infringements in terms of proportionality; the decision also lacks considerations regarding effective judicial protection in the USA, the CJEU reasoned. Thus, the Safe Harbour arrangement does not fulfil the requirements of the EU Charter as regards infringements of fundamental rights. For this reason, the Commission’s decision should be considered invalid.

Tags
Corporate
Other articles