The end of the Safe-Harbor agreement – what now?

The European Court decided on October 6th 2015, that the safe-harbor agreement – which allowed European organizations to legally transfer personal data to US companies for processing if these companies declared their conformance with the European privacy regulations, was not sufficient to protect the privacy of European citizens: “legislation permitting [American] public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” (see further details in this Article in the Economist)

The consequences for European and Swiss companies are harsh. The transfer of personal data to US companies under the safe-harbor agreement is considered illegal since October 6th. Transfer means any form of delivering data to US companies and any form of processing by these organizations, even giving permission of only read access to them.

What are the consequences for Swiss companies?

Switzerland has a separate safe harbor agreement with the US. However, because its content is similar to the one which was signed by the EU and the US, the consequences faced by Switzerland can be severe:

If Switzerland doesn’t cancel the agreement with the US, it might face the following consequences:

  1. The EU might cancel Switzerland’s state as a “safe country” regarding the treatment of personal data, because Switzerland doesn’t apply sufficient and adequate level of protection of personal data of EU citizens.
  2. This will move Switzerland to the group of countries which don’t have data protection standards at all, basically preventing any EU company to transfer personal data to Switzerland.

What are your options?

Will there be international agreements soon?

The Economist says that there is a tendency towards the “balkanisation” of the internet. We share this opinion and believe that most countries will try to impose their views of security, privacy and protection of data. The court ruling was strongly driven by the affair around Edward Snowden and the treatment of data by the american intelligences, particularly the NSA. As long as security agencies are involved, there will be no protection of personal data on the internet, so countries and organization will better make their own preparations and enforce adequate measures.

What’s the impact on EU and Swiss organizations which transfering data to the US?

Safe Harbor was an easy way to circumvent the necessary controls which were needed to guarantee the protection of personal data which is required by EU and Swiss legislation, based on the principle of self-declaration.

Although responsibility and governance was always with management and executive boards (depending on national governance regulation), your responsibility as a board member hasn’t changed, but the way how you are going to control the compliance with the national data protection legislation.

According to Swiss and other laws, a board member will be directly liable for the violation of personal data of their customers or employees (Art. 716 of the Swiss Code of Obligations).

It is important, that you verify whether personal data has been stored under the protection of the safe harbor agreement or whether you are using cloud or other services offered by US organizations which are not adequately protected.

What needs to be done?

An active strategy to cope with this risk is mandatory. Under the safe harbor agreement, a simple clause in a contract was sufficient. These days are done!

As a CEO or board member you must be able to answer the following questions:

  • Where do you store your data?
  • Who is responsible for processing the data? Who owns them?
  • Under which rules personal data was acquired?
  • Do you know the data related content of your contracts with all your contractors?
  • Who collected personal data, what was the reason and how is it being processed?
  • What are the security measurements?
  • What is the changed risk situation and which new risks have been identified?
  • Do you have data protection policies and strategies? Are data protection , privacy and security policies in line?
  • Was personal data stored in a cloud by your employees and what are the therefore policies ?
  • Are you able to control your mobile devices and the way personal data is stored?
  • Do you rely to a traditional IT-Governance approach or did you establish Information Governance, thus focusing on the treatment of information, not hardware and software?

Can we assist you?

The Swiss Information Governance Competence Center (KRM) and  Mission 100 have established services which address the above mentioned challenges.  Our  comprehensive consulting approach covers all aspects, whether they are legal, technical, organisational or internal control and audit related.

With our 5 steps approach we will support you individually:

Step 1: Identification of critical providers, cloud services or outsourcing agreements. Identifying high risk contracts and agreements.

Step 2: Identifying immediate action issues, pointing our risks and develop mitigation measurments  This includes contractual, technical, organizational and other measurements, including discussion of business rules and behavior.

Step 3: Implementation of immediate actions/measurements

Step 4: Analyzing remaining business and data constellations and develop adequate measurements.

Step 5: Implemention of additional measurements

Step 6: Coach implementation and monitoring progress, supporting risks management and improvement.

Step 7: Providing and support certifications process towards EU certification bodies, if this is a requirement


MISSION 100 e.V:

MISSION 100 stands for 100 % information security and privacy. This is a dynamic ideal what is subjected to a permanent change, defined by you on on your own. Your requirement is our mission.

We are an international team of long term experienced experts for privacy and information security management and used to work under specific requirements of our customers. Hereby risk management is always our focus. This means it doesn’t make sense to list standards, policies, acts or other legal requirements, but to offer solutions to be able to control systems and data and comply to the challenges of international IT-environments. Technique is the same all over the planet, but the legal requirements differ from country to country. We reveal the how to comply and provide our customers how to get back the control of the system. Especially if legal requirements contradict in a way that a compliant system environment seems to be impossible.


The Swiss Information Governance Competence Center  (KRM) is focussing its services on information governance and is running the first competence centre in Europe. We create value propositions for our customers by combining traditional concepts of IT and information management science with the new world of systems of engagement (social media, mobility). We are building bridges between highly specialized domains and promote holistic and enterprise wide solutions. However we never lose the practical sense for viability, pragmatism and quick wins. When communicating with our partners an interdisciplinary approach is always applied incl. corporate visionary thinking as well as the required professional competencies in all related disciplines.


With our international network of experts we are able to support you in the EU and in the US.


Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

On 16.3. is Digital Cleanup Day

On 16.3. is Digital Cleanup Day

Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

read more
Dealing with data risks: Data breach notification

Dealing with data risks: Data breach notification

A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

read more