The Federal Data Protection and Information Commissioner (FDPIC) has determined that the Swiss-United States Privacy Shield does not provide an adequate level of data protection for data transfers from Switzerland to the U.S. under the Federal Act on Data Protection (FADP). As a result, the FDPIC has removed the “adequate data protection under certain conditions” for the U.S. The decision comes on the heels of the July 2020 ruling in the Schrems II case by the Court of Justice of the European Union (CJEU), which invalidated the European Union-U.S. Privacy Shield for data transfers (covered in detail in our client alert here). Although Switzerland was not bound by the outcome in Schrems II, the ruling was taken into account as part of the annual review of Swiss-U.S. Privacy Shield Framework, conducted by the FDPIC.
In a policy paper, the FDPIC determined that the special protection rights for individuals in Switzerland guaranteed through the Swiss-U.S. Privacy Shield did not provide adequate levels of protection for data being transferred to the U.S. from Switzerland. As a result, the FDPIC has removed language from its list of countries referencing “adequate data protection under certain conditions” for the U.S. Although the FDPIC does not have the authority to completely invalidate the Swiss-U.S. Privacy Shield, companies transferring data from Switzerland to the U.S. may no longer rely on the Swiss-U.S. Privacy Shield.
In its policy paper, the FDPIC clarified the standards regarding alternative data transfers, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The FDPIC concluded that these types of alternative data transfers will require companies to conduct a risk assessment evaluating if the company importing the data is subject to any special access request by local authorities. If the results of the data assessment indicate that there are data protection risks, the companies will possibly need to implement additional safeguards, such as encryption or technical measures, designed to effectively prevent authorities from the destination country from accessing the data.
Going forward, companies that rely on the Swiss-U.S. Privacy Shield will need to immediately reassess their options for data transfers. This continues the trend of heavily scrutinizing data transfers to the United States, established by the CJEU’s decision in Schrems II.