Swiss-U.S. Privacy Shield No Longer Considered Adequate by Swiss DPA
On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. This decision follows the July 2020 ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case, which invalidated the EU-U.S. Privacy Shield for EU-U.S. transfers of personal data. This ruling was considered as part of the annual review of the Swiss-U.S. Privacy Shield Framework by the FDPIC since, as Switzerland is not a member of the EU, it is not bound by the CJEU ruling.
According to the FDPIC, although the Swiss-U.S. Privacy Shield Framework guarantees special protection rights for individuals in Switzerland, it does not provide an adequate level of protection for personal data transferred from Switzerland to the U.S. pursuant to the Federal Act on Data Protection (“FADP”). Accordingly, the indication that the U.S. provides adequate data protection “under certain circumstances” was amended in the FDPIC’s list documenting the adequacy of data protection in certain countries within the meaning of the FADP. While the FDPIC does not have the authority to invalidate the Swiss-U.S. Privacy Shield Framework (and its position is subject to any rulings to the contrary by Swiss courts), in practice, companies may no longer rely on the Privacy Shield framework as a valid data transfer mechanism.
Further, the FDPIC followed the CJEU ruling and concluded that the use of alternative data transfer mechanisms, such as Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules, which are commonly used in Switzerland, requires companies to conduct a risk assessment and possibly implement additional safeguards (including technical measures that can effectively prevent authorities in the receiving country from accessing the transferred data, such as encryption) where the risk assessment indicates that personal data is not adequately protected. When conducting the risk assessment, the FDPIC requires that data exporters evaluate whether the importing company is subject to special access requests by public or government authorities. The exporter must also consider the extent to which the importer is able to cooperate with the exporter in accordance with the Swiss data protection principles. If the importer cannot do so, the SCCs provisions requiring cooperation are effectively negated. Where it is not possible to implement additional safeguards, the FDPIC recommends suspending transfers of personal data.