On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (the FDPIC) concluded that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transferred from Switzerland to the United States. In doing so, the FDPIC followed the lead of the Court of Justice of the European Union (CJEU) which, on 16 July 2020, ruled that the EU-US Privacy Shield was invalid. We reported on that important development and published further analysis here and here.
Although not a member of the EU, Switzerland has adopted data protection rules that closely align with the General Data Protection Regulation (the GDPR). As with the EU, the Swiss data protection regime generally prohibits the transfer of personal data from its home jurisdiction to third countries. There are important exceptions to this, however, including when transferring parties agree to Standard Contractual Clauses and, formerly, when relying on a Privacy Shield mechanism. Thousands of companies previously relied on the EU-US Privacy Shield to move personal data across the Atlantic. Following the CJEU's decision in Schrems II, those companies have now had to reassess how to carry out these transfers.
The FDPIC maintains a document that details its position concerning the adequacy of data protection measures in certain third countries. It reviews this document at least annually. Swiss entities are able to transfer personal data freely to countries that meet the FDPIC's adequacy criteria without the need for additional special safeguards. The FDPIC has not granted the United States adequacy status and consequently, in order for personal data to be transferred from Switzerland to the US, special safeguards are required. Previously, the Swiss-US Privacy Shield was one such example of an effective special safeguard.
The FDPIC's decision
Although Switzerland is not legally bound by the CJEU's decision in Schrems II, in its recent review the FDPIC undertook its own analysis and arrived at the same conclusion as that of the CJEU: that it could no longer accord the United States the status "Adequate level of protection under certain circumstances", where those circumstances are the Swiss-US Privacy Shield. In siding against the Privacy Shield, as with Schrems II, the FDPIC's decision centred on the US government's national security surveillance powers and those powers' precedence over the requirements to treat personal data in accordance with the Privacy Shield principles.
Whilst it is also important to note that the FDPIC does not have the power to prevent the continued existence and operation of the Swiss-US Privacy Shield in circumstances where the United States has not revoked it, in practice companies may no longer rely on the Swiss-US Privacy Shield framework to transfer data from Switzerland and remain in compliance with Swiss law. Data recipients in the United States may continue to confer special protection rights on the data of persons located in Switzerland, but those rights will no longer meet the requirement of adequate protection as defined by Swiss data protection law. One should also note that the FDPIC's decision is subject to any ruling on the subject by the Swiss courts.
The FDPIC's decision paper noted that a "mutual need for coordination arises in particular when the adequacy of a third country has been reassessed, as it is currently the case in the EU/EEA member states following the [Schrems II decision]." It is not therefore a coincidence that this decision appeared so closely following that case. The FDPIC's decision evidences continued alignment between the Swiss and EU data protection regimes and the growing importance of adequacy blocs, in which national data protection authorities mirror each other's' adequacy standards.
Data transfers between Switzerland and the United States that relied on the Swiss-US Privacy Shield mechanism should now cease, and companies should only restart transfers once a new mechanism is in place. On this point, the FDPIC goes further than the CJEU's comments in Schrems II regarding Standard Contractual Clauses, noting that if companies seek to rely on the mechanism, then a risk assessment should be carried out on a case-by-case basis and appropriate safeguards and technical measures be put in place to prevent the issues identified by the FDPIC (such as unrestricted state surveillance) from occurring.
If such safeguards and technical measures are ineffective or impossible in the context, the FDPIC "recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees". It notes, perhaps pre-empting the CJEU in a third Schrems case, that "it is to be assumed that in many cases the [Standard Contract Clauses] and comparable provisions do not meet the requirements for contractual safeguards pursuant to [Swiss law] for data transfer for nonlisted countries". Noting this last statement, it is unlikely that this FDPIC decision will be the end of the story.
Where does this development leave data controllers, both in Switzerland and elsewhere? Transfers between Switzerland and the EU remain unaffected by this decision. Transfers to the United States from Switzerland are not over, but will be considerably more challenging. Transferring parties will need to assess closely the circumstances of each transfer, as well as the adequacy and effectiveness of the chosen safeguards, both legal and technical. As noted in our analysis regarding the Schrems II decision, it is probable that there will be further developments to come on this subject, in particular around the adequacy of Standard Contractual Clauses.