European Union: Swiss Data Protection Authority Finds Swiss-US Privacy Shield Inadequate

Key Takeaways:

• Switzerland aligns with the Schrems II decision
• +5,000 organizations impacted by the Swiss announcement
• Contractual and technical measures, on an ad hoc basis, could be put in place to protect adequately data
• Absent viable measures that meet Swiss law requirements, parties should not engage in cross-border data transfers to the U.S.

Following the Court of Justice of the European Union's (CJEU) lead in the Schrems II case, on September 8, 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced that the Swiss-US Privacy Shield regime is inadequate for the purposes of personal data transfers from Switzerland to the U.S. The FDPIC does not have authority to invalidate the Swiss-US Privacy Shield regime. However, in practice, the FDPIC's announcement casts serious doubt on the viability of the Swiss-US Privacy Shield as a compliance mechanism for Swiss-US data transfers. The announcement affects the approximately 5,250 organizations certified to the Swiss-US Privacy Shield.

Similar to the CJEU, the FDPIC cited as the bases for its position (i) Swiss residents' lack of enforceable rights in the US; and (ii) deficiencies in the Privacy Shield's ombudsperson's functions - in particular, the ombudsperson's lack of power in respect of U.S. intelligence authorities ability to collect non-U.S. citizens' data. Thus, the FDPIC removed the U.S. from the list of countries that provide an adequate level of data protection "under certain circumstances," in other words, in compliance with the Swiss-US Privacy Shield regime. 

Further, similar to the CJEU's Schrems II decision, the FDPIC announcement casts doubt on the continued viability of contractual safeguards - such as the European Union's Standard Contractual Clauses (SCCs) or binding-corporate rules - for transfers of personal data from Switzerland to the U.S.  Again, the FDPIC criticizes the fact that U.S. public law takes precedence and allows for governmental authority access to the transferred personal data without, what it deems, sufficient transparency and legal protection for affected data subjects. 

The announcement advises Swiss companies to engage in a case-by-case assessment of data exports to the U.S. and other non-approved countries, and to expand the contractual requirements of the SCCs as necessary.  Noting that expanded contractual requirements may be insufficient to address potential governmental authority access to data, the announcement urges Swiss companies to consider whether technical measures (e.g., encryption where only the exporter holds the decryption key) can prevent governmental authorities from accessing the transferred personal data. The announcement further notes that technical solutions will be more challenging for importer services that go beyond mere data storage. If there are no viable technical solutions, the FDPIC recommends against transferring the personal data.

We previously outlined next steps for organizations affected by the CJEU's Schrems II decision, which are now also relevant for purposes of transfers of personal data out of Switzerland.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.