Swiss Data Protection Authority Concludes That the U.S.-Swiss Privacy Shield Does Not Provide Adequate Level of Data Protection

Following the recent ruling of the Court of Justice of the European Union (CJEU) which invalidated the EU-U.S. Privacy Shield, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the United States.  As Switzerland is not a member of the European Union, it is not legally bound by the CJEU ruling.

Although there are some differences between the frameworks, the principles under the EU-U.S. and the Swiss-U.S. Privacy Shields align.  The FDPIC concluded that, although the Privacy Shield guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the United States pursuant to the Federal Act on Data Protection for the reasons noted in the CJEU’s ruling.

As a result of this assessment based on the Swiss law, the FDPIC has deleted the reference to “adequate data protection under certain conditions” with respect to the United States in its list of “adequate” jurisdictions.  The FDPIC, however, does not have the authority to invalidate the Privacy Shield Framework and its position on its adequacy remains subject to any ruling by the Swiss courts.  According to the FDPIC’s statement, “those concerned can invoke the regime as long as it is not revoked by the U.S.”  The U.S. Department of Commerce, for its part, is intent on maintaining the Privacy Shield List and continuing processing submissions for self-certification and re-certification to the Privacy Shield Frameworks.

The FDPIC also offered the following advice to companies when transferring data to jurisdictions which do not provide an adequate level of data protection:

• If the disclosure of data is based on contractual guarantees such as Standard Contractual Clauses, data exporters should carry out a risk assessment. The exporters should check whether the clauses cover the data protection risks existing in the transferee country. If necessary, the clauses should be expanded.

• When examining data protection risks, it is important to consider whether the data is transferred to a company in a country that is subject to special access by the local authorities (as is the case with the United States). It must also be considered whether the foreign recipient company is entitled to and is in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the Standard Contractual Clauses concerning the obligation to cooperate are negated.

• Data exporters must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. For example, if  data is stored solely in the cloud by service providers in a transferee country, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and the service provider would have no possibility of decoding the data themselves. If such measures are not possible, the FDPIC recommends refraining from transferring personal data on the basis of contractual guarantees.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653