Switzerland’s DPA concludes that Swiss-US Privacy Shield does not provide adequate level of protection

The fallout from the Schrems II judgment continued with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”

In a seven-page policy paper, the FDPIC observed that although Switzerland is not bound by the CJEU’s Schrems II decision and there is no comparable Swiss legal decision, it nonetheless felt “compelled not only to reassess the current position of the US on” Switzerland’s list of countries with adequate data protections, “but also to provide more detailed legal justification for” its decision to amend that list with respect to the US.

Tracking the Schrems II decision, the FDPIC concluded that the potential impact of US surveillance laws on Swiss residents’ personal data without adequate redress is “irreconcilable with” the privacy rights guaranteed by FADP. The FDPIC reasoned: “Because there is no guarantee of rights that would afford persons concerned in Switzerland protection comparable to that afforded by [Swiss law], the FDPIC considers that data protection within the meaning of Art. 6 Para. 1 FADP is insufficient in the US, even for the processing of personal data by US companies that are certified under the [Swiss-US Privacy Shield] regime.”

The FDPIC noted that it does not have the authority to invalidate the Swiss-US Privacy Shield regime and its assessment is “subject to any deviating rulings by Swiss courts.” Consequently, the regime “can be invoked by persons concerned in Switzerland as long as it is not revoked by the USA.” However, the FDPIC amended its list to indicate that the rights provided by the regime “do not meet the requirements of adequate data protection as defined in the FADP.”

The FDPIC also tracked the Schrems II decision with respect to the use of Standard Contractual Clauses (SCCs) and binding corporate rules. The FDPIC concluded that those contractual safeguards “cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protections of the persons concerned.” The FDPIC was quick to point out that this was true not only for transfers to the US, but to other non-adequate countries as well.

The FDPIC concluded by providing three practical tips for Swiss companies transferring data to countries where there is not an adequacy determination.

First, companies relying on contractual provisions, such as SCCs, must conduct a risk assessment and expand contractual clauses (if possible) to address the law of the receiving country.

Second, companies need to consider whether the law in the receiving country permits the transferred data to be “subject to special access by local authorities” and whether the receiving company is in the position to enforce Swiss data protection principles.

Finally, in such situations, the Swiss data exporter “must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data.” According to the FDPIC:

If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

The EDPB and European Commission are on track to provide further guidance on cross-border data transfers in light of Schrems II in the coming months.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

Switzerland’s DPA concludes that Swiss-US Privacy Shield does not provide adequate level of protection

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Switzerland’s DPA concludes that Swiss-US Privacy Shield does not provide adequate level of protection

Share This Story

Blog Topics

Blog Roll

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.