PL&B International E-news, Issue 77

1. Switzerland joins the EU in accepting the US Safe Harbor Framework

Switzerland’s Federal Data Protection Commissioner signed an agreement with the USA on December 9th which establishes a US-Swiss Safe Harbor Framework to simplify the transfer of personal data from Switzerland to the USA while seeking to strengthen the data protection rights of those whose data has been transferred. Under the current arrangement, the USA’s privacy laws have not been regarded as adequate by Switzerland. However, Switzerland has now followed the lines of the current EU - US Safe Harbor programme which has been running since 2000.

The Safe Harbor programme applies only to companies which have self-certified that they meet the criteria required by the US Department of Commerce (PL&B International Newsletter December 2008 p.1). Benefits for companies in Switzerland are that they will no longer neeed to draw up a legal agreement for transferring their personal data to the USA nor submit it to Switzeland’s Federal Data Protection and Information Commissioner for examination.

Sanctions and remedies include action by the US Federal Trade Commission, recourse to dispute resolution bodies and, if the EU model is followed, complaint to Switzerland’s Federal Data Protection Commission. This framework will enter into effect "in due course."

2. EU Art. 29 Data Protection Working Party announces four more countries for its Binding Corporate Rules mutual recognition procedure

After its meeting in Brussels on 10th December, the EU Art. 29 Data Protection Working Party announced four more countries to join its mutual recognition procedure for approval of a company’s Binding Corporate Rules application (PL&B International Newsletter October 2008 p.1). The original list was France, Germany, Ireland, Italy, Lativa, Luxembourg, the Netherlands, Spain and the United Kingdom. The new countries are Cyprus, Iceland, Liechtenstein, and Norway, of which the last three are members of the European Econonmic Area.

The real test is now not so much the number of countries joining but the speed at which they draw up a procedure for breaking the logjam of BCR applications. Companies will want to see an agreement that after the lead country’s approval, the other countries in this mutual recognition club will have a maximum of one month to object. If the lead country hears nothing within 30 days, the DPA approval goes ahead. Not only companies but several DP Authorities are frustrated by their own slow progress.

Other issues discussed at the December meeting of the Art. 29 DP Working Party were:

  1. a new BCR Frequently Asked Question on data subject rights
  2. approval of two new Frequently Asked Questions on terminology and level of detail required for a BCR application on the processing and transfers of personal data within a group of companies.
  3. Google, Ixquick, Microsoft and Yahoo will be invited to the February 2009 meeting to discuss the Working Party’s opinion 1/2008 on data protection issues related to search engines (WP 148) after noting the companies "fair and fruitful co-operation" and noting progress on data retention.
  4. to write to a major provider of "panaramic street level services" such as Google’s Streetview to discuss the "lawfulness of the processing anf the safeguards and guarantees provided by such service."
  5. The Working Party aims to adopt a working paper on E-Discoverry at its February 2009 meeting.
  6. The Working Party will study Belgium’s decision to "close its procedure" against the Society for Worldwide Interbank Financial Telecommunication (SWIFT) – (PL&B International Newsletter December 2008 p.1).

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2008