23.12.2015 – With judgment of 6 October 2015, the European Court of Justice (ECJ) invalidated the existing Safe Harbor regime for transfers of personal data from the EU to the U.S. Switzerland has a similar Safe Harbor regime with the U.S. in place. Since Switzerland is not bound by the ECJ decision, one might take the position that the Swiss Safe Harbor regime is not affected by the judgment. However, many uncertainties are surrounding this position, in particular since the Swiss Federal Data Protection and Information Commissioner (FDPIC) took the view that in light of the ECJ decision the Swiss Safe Harbor regime can no longer be considered as sufficient legal basis to transfer personal data to the U.S.; he therefore recommended implementing additional data transfer agreements. Although the opinion of the FDPIC is not binding, it does carry some weight. Moreover, there is a risk that data protection authorities in EU member states may start considering data transfers from the EU to Switzerland problematic, if Swiss companies still transfer personal data to the U.S. based solely on its Safe Harbor regime. From this it follows that the ECJ decision definitely also matters to Swiss companies and, therefore, to Swiss M&A deals.
For the time being, many uncertainties remain although additional data transfer agreements may for the short term mitigate the situation to some extent. Data protection compliance is already a due diligence topic today, but given the current situation, developments in this area in 2016, in particular the announced arrival of the "Safe Harbor 2.0" regime, have to be monitored constantly and more carefully to be able to reassess the situation and quickly adapt practices if need be.