Swiss-U.S. Privacy Shield No Longer Adequate for Data Transfers

Akin Gump Strauss Hauer & Feld LLP
Contact

Akin Gump Strauss Hauer & Feld LLP

The Federal Data Protection and Information Commissioner (FDPIC) has determined that the Swiss-United States Privacy Shield does not provide an adequate level of data protection for data transfers from Switzerland to the U.S. under the Federal Act on Data Protection (FADP). As a result, the FDPIC has removed the “adequate data protection under certain conditions” for the U.S. The decision comes on the heels of the July 2020 ruling in the Schrems II case by the Court of Justice of the European Union (CJEU), which invalidated the European Union-U.S. Privacy Shield for data transfers (covered in detail in our client alert here). Although Switzerland was not bound by the outcome in Schrems II, the ruling was taken into account as part of the annual review of Swiss-U.S. Privacy Shield Framework, conducted by the FDPIC.

In a policy paper, the FDPIC determined that the special protection rights for individuals in Switzerland guaranteed through the Swiss-U.S. Privacy Shield did not provide adequate levels of protection for data being transferred to the U.S. from Switzerland. As a result, the FDPIC has removed language from its list of countries referencing “adequate data protection under certain conditions” for the U.S. Although the FDPIC does not have the authority to completely invalidate the Swiss-U.S. Privacy Shield, companies transferring data from Switzerland to the U.S. may no longer rely on the Swiss-U.S. Privacy Shield.

In its policy paper, the FDPIC clarified the standards regarding alternative data transfers, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The FDPIC concluded that these types of alternative data transfers will require companies to conduct a risk assessment evaluating if the company importing the data is subject to any special access request by local authorities. If the results of the data assessment indicate that there are data protection risks, the companies will possibly need to implement additional safeguards, such as encryption or technical measures, designed to effectively prevent authorities from the destination country from accessing the data.

Going forward, companies that rely on the Swiss-U.S. Privacy Shield will need to immediately reassess their options for data transfers. This continues the trend of heavily scrutinizing data transfers to the United States, established by the CJEU’s decision in Schrems II.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.