Invalidation of Safe Harbor: Where to dock Swiss data?

in Advisory, 16.10.2015

Privacy Enhancing Ruling

On 6 October 2015, the European Court of Justice (ECJ) invalidated the EU-US Safe Harbor Agreement. The court’s ruling is a new chapter in a series of Privacy Enhancing Rulings of regulators and courts worldwide, thereby enhancing citizens’ privacy worldwide.

What is Safe Harbor?

The US-EU & US-Swiss Safe Harbor frameworks provided a legal basis for transferring personal data to and from the US. Both EU and Swiss legislation stipulate that the transfer of personal data is only allowed with countries that offer an adequate level of protection. While the US level of protection is not considered to be adequate, the safe harbor framework nevertheless enabled an exchange of personal data between Swiss and EU companies with US organizations, provided the US organization is (self)certified with the seven safe-harbor principles (i.e. notice, choice, onward transfer, access, security, data integrity, enforcement).

Safe Harbor for Swiss data

Similar to the EU, the Swiss privacy regulator (FDPIC) acknowledged the safe harbor scheme as legal grounds for personal data transfers to the US. In essence, the US-Swiss Safe Harbor framework is equivalent to the US-EU framework. More than 3000 companies in Switzerland currently make use of this scheme for their data transfers with the US.

Safe Harbor was always under fire

Since its inception, the safe harbor agreement has been under fire by privacy scholars and experts. The criticism focused on the fact that the safe harbor agreement relies on a self-certification scheme that is not independently monitored. This means that there was always a risk that organizations did not implement their personal data management adequately – possibly without even knowing it – thus offering insufficient privacy protection.

Safe Harbor no longer safe

One of the ECJ’s key arguments for invalidating the safe-harbor agreement was that US’ public authorities have access to the content of electronic communications on a generalized basis (think NSA’s PRISM). The ECJ argued that this compromises the essence of the fundamental right to respect for private life.

Hence, interestingly enough, the reason to invalidate safe harbor does not have to do with the shortcomings of the framework, but with overall privacy shortcomings of the country to which it applies (i.e. the USA). Therefore, logical conclusion would have it that the ultimate solution would be to suspend all transfers of personal data to the US. However, that solution is not a very practical one.

Where to dock now?

This leaves us to ponder other possible solutions. From a legal perspective, there are other legal grounds available in order to lawfully transfer data with the USA, such as:

Rather than discussing the content of these options, I would like to emphasize the fact that they are merely other legal grounds. None of these options will limit the US authorities’ possibilities to access citizens’ personal data. Therefore, there is a risk that these options are only acceptable for the time being. we could very well imagine that in a new ECJ or Swiss court proceeding, these other options will be invalidated as well, as they do not offer a solution for the underlying problem, i.e. that of the authorities having access to our personal data!


Of course, having proper legal grounds for data transfers is important. Notwithstanding, instead of focusing on the legal aspects of the data transfer, organizations should concentrate on the protection of personal data. The goal should be to transfer personal data only if and when it can be ensured that the data is adequately secured and will not fall into the ‘wrong’ hands. Correct use of Privacy Enhancing Technologies (including encryption, data minimization, data masking, etc.) and privacy controls is vital for this. State-of-the-art IT security techniques in combination with proper implementation of privacy principles should be the norm for every organization doing business in Switzerland and / or the EU. Only by implementing such principles properly, will organizations be able to avoid the negative consequences of the next big Privacy Enhancing Ruling.



Further information:



  1. Gian-Franco Hefti

    Ich denke nicht dass der Einsatz von Datenschutztechnologien garantieren kann, dass die US-Behörden nicht auf die übermittelten personenbezogenen Daten zugreifen können. Deshalb scheint es mir von zentraler Bedeutung, dass die betroffenen Personen vor der Übermittlung ihrer Daten in die USA ihr Einverständnis erklären.

    • Jeffrey Bholasing

      Hi Gian-Franco, thanks for your comment!
      You make a very valid point in saying that implementation of data protection technologies will not guarantee that others might gain access to the data. However, I do not believe that consent is the way forward. In a society that’s going to be more and more data driven, consumers would be bombarded with consent requests and consequently, consent as a ground for data processing would lose its value. Regardless of having consent or not, companies should do their utmost in protecting their customer’s data. This necessitates the highest standards of IT security. This is demanded by data protection regulation and regulators worldwide and will become increasingly enforced in the future. Of course and unfortunately, we would never reach a 100% secure situation, but locking your door with an approved lock is significantly better as opposed to leaving the door wide open!

      Please let me know if you have further questions.

      Kind regards,

Leave a Reply

Your email address will not be published.