October 21, 2020

Volume X, Number 295

October 21, 2020

Subscribe to Latest Legal News and Analysis

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

Swiss-U.S. Privacy Shield No Longer Considered Adequate by Swiss DPA

On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. This decision follows the July 2020 ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case, which invalidated the EU-U.S. Privacy Shield for EU-U.S. transfers of personal data. This ruling was considered as part of the annual review of the Swiss-U.S. Privacy Shield Framework by the FDPIC since, as Switzerland is not a member of the EU, it is not bound by the CJEU ruling.

According to the FDPIC, although the Swiss-U.S. Privacy Shield Framework guarantees special protection rights for individuals in Switzerland, it does not provide an adequate level of protection for personal data transferred from Switzerland to the U.S. pursuant to the Federal Act on Data Protection (“FADP”). Accordingly, the indication that the U.S. provides adequate data protection “under certain circumstances” was amended in the FDPIC’s list documenting the adequacy of data protection in certain countries within the meaning of the FADP. While the FDPIC does not have the authority to invalidate the Swiss-U.S. Privacy Shield Framework (and its position is subject to any rulings to the contrary by Swiss courts), in practice, companies may no longer rely on the Privacy Shield framework as a valid data transfer mechanism.

Further, the FDPIC followed the CJEU ruling and concluded that the use of alternative data transfer mechanisms, such as Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules, which are commonly used in Switzerland, requires companies to conduct a risk assessment and possibly implement additional safeguards (including technical measures that can effectively prevent authorities in the receiving country from accessing the transferred data, such as encryption) where the risk assessment indicates that personal data is not adequately protected. When conducting the risk assessment, the FDPIC requires that data exporters evaluate whether the importing company is subject to special access requests by public or government authorities. The exporter must also consider the extent to which the importer is able to cooperate with the exporter in accordance with the Swiss data protection principles. If the importer cannot do so, the SCCs provisions requiring cooperation are effectively negated. Where it is not possible to implement additional safeguards, the FDPIC recommends suspending transfers of personal data.

Read the position statement.

 

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 252

TRENDING LEGAL ANALYSIS


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct