Swiss Federal Data Protection and Information Commissioner (FDPIC) concludes that the Swiss-US Privacy Shield framework does not offer an adequate level of data protection and cautions against the use of SCC in many cases
8. September 2020 – In a statement dated 8 September 2020 (available in English, German, French and Italian, with accompanying documentation), the FDPIC indicated – not surprisingly – that it has removed the USA from its list of countries deemed to provide an “adequate level of data protection”. Indeed, the USA until this point listed as a country providing an adequate level of data protection provided the Swiss-US Privacy Shield applied to the cross-border data disclosures.
This statement comes as a consequence of the CJEU’s recent invalidation of the EU-US Privacy Shield framework (see our news of 24 July 2020), being specified that this decision is not binding for Switzerland. Similarly to the EU-US Privacy Shield, the Swiss-US Privacy Shield is a data protection framework seeking to reinforce data protection measures in situations of data disclosures from Switzerland to the USA. It did so by ensuring, on the one hand, that Swiss data protection principles would apply to cross-border personal data disclosures and, on the other hand, by providing assurances regarding the access to personal data by US authorities.
In his statement, the FDPIC confirmed having broadly based his assessment on the CJEU’s analysis, due to the closeness of Swiss and EU data protection legislation. Consequently, the FDPIC concluded that Swiss-based data subjects did not have sufficient rights in the USA.
Contrary to the situation in the EU, where the court invalidated the EU-US Privacy Shield framework, there has not (yet) been any Swiss court decision in that respect. Rather, the FDPIC considers that the USA does not offer an adequate level of data protection, even when the data is disclosed within the framework of the Swiss-US Privacy Shield. As the FDPIC does not have the authority to invalidate the Swiss-US Privacy Shield (invalidation could come from a US withdrawal from the Swiss-US Privacy Shield), data subjects can still invoke the protections of the Swiss-US Privacy Shield for cross-border disclosures within its framework.
That being said, data exporters are strongly advised to promptly reevaluate their cross-border data disclosures to the US (as well as to other countries that the FDPIC considers do not provide an adequate protection). They should also take into consideration the extra-territorial scope of applicability of the GDPR and the above decision of the CJEU. Moreover, data exporters should carefully ascertain whether the use of standard contractual clauses (also known as SCC) and binding corporate rules (BCR) offer sufficient safeguards when disclosing personal data outside of Switzerland, including to the USA.
The FDPIC furthermore indicates that he will provide additional guidance to Swiss companies in respect of the use of contractual safeguards when disclosing personal data to the USA and other countries that do not offer an adequate level of data protection. Companies should therefore monitor these developments.