According to a ruling of the European Court of Justice, the EU and the USA had until the end of January 2016 to negotiate a new Safe Harbor agreement. In its October 6, 2015 ruling, the European Court of Justice had declared that the USA did not offer a sufficient level of data protection and it was therefore not lawful to transfer personal data. The negotiating parties have not yet submitted any results and so the grace period has expired. Companies can no longer invoke the EU Safe Harbor agreement for transatlantic data transfers.
No solution has been found for the ECJ’s criticisms, namely the extensive government monitoring in the USA and the lack of legal recourse. This does not surprise experts in this area. The situation for companies is drastic, though. They have lost legal grounds for transferring data to the USA. The impact is not limited to large, multinational corporations; it also affects medium-sized companies. If a Swiss company exchanges customer data with a subsidiary in the USA, for example in a shared customer file, it is now in a legally sensitive gray zone. Caution should also be exercised when using cloud services provided by American data centers.
The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland notes: “The FDPIC, as well as the Federal Council, will continue to closely monitor the negotiations between the EU and the USA and take action in accordance with the result of these negotiations. We have to bear in mind that the affected persons in Switzerland always have the option of having a civil court rule on the planned data delivery to the USA.” The discontinuation of the agreement causes legal uncertainty. Therefore, multinational corporations are currently reviewing their data center strategy in terms of the chosen location. Because it is to be expected that EU data protection officials will seek to file suit against offending companies.