CPC is online with information for 32 countries.

The Cloud Privacy Check (CPC)  is online at https://dataprivacycompliance.eu/ch.html

CPCDPC facebookCover v3


The CPC is an online resource containing highly relevant information about data protection issues related to Cloud Computing, covering 32 European jurisdictions.  You will find a tool that helps Cloud Customers find answers faster.  If you are a Cloud Service Provider, the tool will help you understand the questions that are relevant for your customers.  Further material is available upon request.

The CPC follows a simple four-step process to go through the relevant steps a customer will meet during the legal analysis.

This four-step process reflects a structure and uses iconography LAUX LAWYERS AG has helped to invent.

The CPC is meant as an entry point into the legal analysis, and does not cover aspects related to regulations such as banking secrecy, etc.


Today, on 6 October 2015, the European Court of Justice (ECJ) has rendered its highly anticipated judgment regarding the Safe Harbor regime between the US and the EU. Nothing else had to be expected after having seen the submission of Advocate General, Mr. Bot, which had been issued in late September 2015.  Now, the ECJ has declared void the Commission’s decision underlying the Safe Harbor Agreement.

In our view, the ECJ’s decision is one of the more significant events for data protection law in general and for server-based applications with respect to the United States (in particular cloud solutions) in particular. When assessing the decision one should be careful, however, not to read more into the decision than what the Court of Justice (ECJ) has actually said.

Here is our first preliminary assessment of the Safe Harbor judgment. We write this on the basis of the press release of the ECJ that is accessible at


The ECJ had to render a judgment about the Commission's decision of 2000 in which the Commission declared the Safe Harbor regime valid.  The ECJ has stated that a) the Commission, in that decision, has exceeded its competences and b) the 2000 decision fell short of what the Commission actually should have declared therein (“equivalent level of protection "). In view of these deficiencies, and by pointing out that the design of the Safe Harbor regime violates the EU Charter of Fundamental Rights, the ECJ annulled the Commission’s decision.

In the Commission's decision of 2000, the Commission has found that European companies are allowed to transmit personal data to a US company, if the US recipient company submited to the Safe Harbor regime. With the ECJ’s ruling, such conclusion is now invalid.

The background to this is that the Safe Harbor regime comprises the following express reservation:

"adherence to theory principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements."

Based on this language from the Safe Harbor regime, a US recipient company would still comply with the Safe Harbor regime, even if the NSA accesses the US recipient company’s data on a massive scale. In its press release, the ECJ summarises as follows:

“Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”

As a result, the language quoted from the Safe Harbor Framework represents a significant limitation of the European Charter of Fundamental Rights – and seemingly justified by the Commission's decision of 2000. However, the Commission is not competent to decide on restrictions of the European Charter of Fundamental Rights. Accordingly, the Commission's decision is unlawful and void.

The ECJ then generally stated the following with regard to competencies: Even if the Commission's decision had been declared to be lawful, the Irish national data protection authority would have been permitted to scrutinize the equivalency decision of the European Commission on a case-by-case basis.

In result, the decision means that a European company must ensure by other means (eg. by means of Standard Contractual Clauses, or other instruments) that the US companies provide protective measures to safeguard personal data. Exclusive reliance on the Safe Harbor regime is no longer possible.

In Particular, the decision does not – at least according to the press release of the ECJ – comment on the following:

  • whether the United States have an adequate level of protection in terms of privacy;
  • whether a European company may outsource personal data based on Standard Contractual Clauses to a US recipient company;
  • if an offer of a US cloud service (without the interposition of an European office) infringes European Union law.

The decision is expected to have significant consequences for the future of the Swiss Safe Harbor Program. We expect that the Federal Data Protection and Information Commissioner will comment on this matter soon.Fortunately, the Safe Harbor Program (neither in the European nor in the Swiss shaping) is not the only approach how to lawfully exchange data with US companies. We will be happy to discuss with you in more detail what approaches should be taken in order to remedy the consequences of today’s landmark decision.