Swiss Regulator Determines Swiss-US Privacy Shield Is Inadequate

Latham & Watkins LLP
Contact

Latham & Watkins LLPSwiss companies are advised to take additional measures when transferring personal data from Switzerland to the US.

On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Mirroring the Court of Justice in the European Union’s (CJEU’s) findings in the recent Schrems II decision, the FDPIC also concludes that the standard contractual clauses (SCCs), and binding corporate rules (BCRs) (as applied in Switzerland), may not provide for adequate protection for transfers to the US or other third countries.

The FDPIC ultimately reaches the same conclusions as the CJEU in Schrems II, which invalidated the EU-US Privacy Shield and imposed a number of caveats on use of the SCCs. In previous posts, Latham has commented on the Schrems II decision and considerations for addressing data transfer risks.

Whilst the FDPIC and the Swiss courts are not bound by the CJEU, the FDPIC nonetheless closely follows the CJEU’s reasoning in Schrems II. The FDPIC states that, in its view, Swiss individuals do not have sufficient rights of redress or remedy in the context of US authorities’ access to data; the Privacy Shield ombudsman mechanism cannot be properly assessed due to a lack of transparency; and the US legal regime providing for such access is incompatible with Swiss data protection laws.

On this basis, the FDPIC found that the Swiss-US Privacy Shield does not provide adequate protection for personal data transfers to the US pursuant to the FADP, and changed the respective entry in its list of countries providing adequate protection. As in Schrems II, the FDPIC’s assessment does not itself invalidate the Swiss-US Privacy Shield self-certifications, and if a company has certified under the rule, data subjects can still rely on the rights provided under it. Swiss companies, however, may no longer rely on the Swiss-US Privacy Shield as a valid data transfer mechanism.

In relation to the SCCs, the FDPIC concludes that the SCCs, or BCRs (as applied in Switzerland), alone may not provide for adequate protection for transfers to the US or other countries Switzerland does not recognise as adequate. The FDPIC recommends:

  • Swiss data exporters conduct a case-by-case risk assessment of data transfers in reliance on SCCs and BCRs.
  • Swiss data exporters specifically consider whether the foreign recipient company can provide the cooperation necessary for the enforcement of Swiss data protection principles. If not, the SCCs cannot be complied with, and cannot alone provide an adequate level of protection.
  • If the foreign recipient company cannot provide such necessary cooperation, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. Examples include encryption, the principles of BYOK (bring your own key), and BYOE (bring your own encryption).

The FDPIC states that he will provide Swiss companies with further guidance on data export mechanisms as soon as further information — such as statements from the European Data Protection Board — is available. The Swiss regulator is likely to closely follow those across the European Union in the wake of Schrems II.

This post was prepared with the assistance of Nara Yoo in the London office of Latham & Watkins.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.