Safe Harbor News: Switzerland Axes It, Israel Stops Recognizing It, and U.S. Congress Acts to Save It

Switzerland Declares U.S.-Swiss Safe Harbor "No Longer Sufficient"

In a press release published on its website October 22, the Swiss Data Protection and Information Commissioner (FDPIC) declared the U.S.-Swiss Safe Harbor to be "no longer sufficient" for data transfers to the U.S. In essence, the FDPIC agreed with the European Union (EU) Court of Justice's (ECJ) Safe Harbor decision of October 6, even though Switzerland is not part of the European Union or governed by its courts. Over 4,400 companies had relied on the U.S.-EU Safe Harbor and over 3,400 companies had relied on the U.S.-Swiss Safe Harbor. The U.S.-EU and U.S.-Swiss Safe Harbors were nearly identical but legally distinct vehicles for data transfers.

In reference to the provisory approach of the EU Article 29 Working Party ("WP 29") for EU-U.S. data transfers, the FDPIC also recommended that companies "in the meantime" rely on "contractual guarantees" within the meaning of Article 6 para 2 lit. a of the Swiss Data Protection Act. According to the authority, this approach would not solve the issue of "disproportionate interferences," however it would temporarily improve the level of data protection.

In particular, contractual guarantees should contain the following provisions:

• Data subjects whose data is transferred to the U.S. should be informed as clearly and exhaustively as possible about the possible access to their data by the authorities, so that they can exercise their rights.
• Companies must commit to offer to affected data subjects effective legal protection to carry out the required procedures and to accept decisions on the basis of such procedures.

In line with the grace period provided by WP 29 for EU-U.S. transfers, the FDPIC now expects companies to make concerted undertakings to make the necessary adjustments to data transfers by the end of January 2016. In coordination with the European authorities, the FDPIC will examine whether further measures are necessary to guarantee that the fundamental rights of data subjects are respected. The FDPIC stated that it would be looking to "Safe Harbor 2.0" for solutions to the issues raised by the ECJ.

The statement can be found on the website of the FDPIC in French, German and Italian.

Israel's Data Protection Authority Disclaims U.S.-EU Safe Harbor

On October 20, the Israeli Law, Information and Technology Authority (ILITA) revoked its authorization to allow U.S. companies to use Safe Harbor as a way to meet onward transfer requirements under Israeli data protection law. The press release stated that companies are now required to assess whether they can use a different derogation, leaving companies to the same devices which are presumptively available in EU-U.S. data flows.

Though the U.S.-EU Safe Harbor was an agreement between the U.S. and EU, the ILITA had in practice recognized Safe Harbor-certified companies as providing "adequate" data protection with regard to transfers from Israel to the U.S. Israel, which enjoys its own "adequacy" finding from the EU, must ensure that transfers to third countries (beyond Europe and Israel) are provided "adequate" protection.

U.S. House Passes Judicial Redress Act

One lynchpin deficiency noted by the ECJ in its Safe Harbor opinion was the lack of judicial redress in the U.S. for European citizens whose data allegedly have been collected or misused by the U.S. government. The Judicial Redress Act of 2015 is aimed to correct that by providing just such redress, not just to bolster the U.S.-EU "Safe Harbor 2.0", but to complete a key promise in the Umbrella Agreement (established for U.S.-EU law enforcement data sharing). The bill passed the U.S. House of Representatives on October 20 and now moves to the Senate, where a timeline for introduction to the floor is unknown, though many commentators are optimistic about its passage.