Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US.
By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth
On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Mirroring the Court of Justice in the European Union’s (CJEU’s) findings in the recent Schrems II decision, the FDPIC also concludes that the standard contractual clauses (SCCs), and binding corporate rules (BCRs) (as applied in Switzerland), may not provide for adequate protection for transfers to the US or other third countries.
The FDPIC ultimately reaches the same conclusions as the CJEU in Schrems II, which invalidated the EU-US Privacy Shield and imposed a number of caveats on use of the SCCs. In previous posts, Latham has commented on the Schrems II decision and considerations for addressing data transfer risks.
Whilst the FDPIC and the Swiss courts are not bound by the CJEU, the FDPIC nonetheless closely follows the CJEU’s reasoning in Schrems II. The FDPIC states that, in its view, Swiss individuals do not have sufficient rights of redress or remedy in the context of US authorities’ access to data; the Privacy Shield ombudsman mechanism cannot be properly assessed due to a lack of transparency; and the US legal regime providing for such access is incompatible with Swiss data protection laws.
On this basis, the FDPIC found that the Swiss-US Privacy Shield does not provide adequate protection for personal data transfers to the US pursuant to the FADP, and changed the respective entry in its list of countries providing adequate protection. As in Schrems II, the FDPIC’s assessment does not itself invalidate the Swiss-US Privacy Shield self-certifications, and if a company has certified under the rule, data subjects can still rely on the rights provided under it. Swiss companies, however, may no longer rely on the Swiss-US Privacy Shield as a valid data transfer mechanism.
In relation to the SCCs, the FDPIC concludes that the SCCs, or BCRs (as applied in Switzerland), alone may not provide for adequate protection for transfers to the US or other countries Switzerland does not recognise as adequate. The FDPIC recommends:
- Swiss data exporters conduct a case-by-case risk assessment of data transfers in reliance on SCCs and BCRs.
- Swiss data exporters specifically consider whether the foreign recipient company can provide the cooperation necessary for the enforcement of Swiss data protection principles. If not, the SCCs cannot be complied with, and cannot alone provide an adequate level of protection.
- If the foreign recipient company cannot provide such necessary cooperation, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. Examples include encryption, the principles of BYOK (bring your own key), and BYOE (bring your own encryption).
The FDPIC states that he will provide Swiss companies with further guidance on data export mechanisms as soon as further information — such as statements from the European Data Protection Board — is available. The Swiss regulator is likely to closely follow those across the European Union in the wake of Schrems II.
This post was prepared with the assistance of Nara Yoo in the London office of Latham & Watkins.