On 8 September, the Federal Data Protection and Information Commissioner (FDPIC) determined that it no longer considers the CH-US Privacy Shield adequate for transferring personal data from Switzerland to the USA (please see the statement, the policy paper, and the amended list of states with adequate protection here). Such a decision was expected following the EU Court of Justice (CJEU) judgment of mid-July in the case C-311/18 — Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems. See our summary here.
Based on this determination and within the scope of its competence (Art. 31 para. 1 lit. d FADP and Art. 7 of the Ordinance to the FADP (OFADP)), the FDPIC has removed the USA from the list of states with adequate data protection under certain conditions (Privacy Shield) and classifies the USA from now on as a country with insufficient protection.
The list of states is a list of countries whose legislation guarantees adequate data protection in the opinion of the FDPIC. However, the list does not release data exporters from their obligation to assess the presumed level of protection if there are indications of data protection risks in a specific case and, if necessary, to take appropriate safeguards within the meaning of Art. 6 para. 2 FADP, or even to refrain from exporting the data. The list distinguishes between countries with "adequate data protection" and countries with "adequate data protection under certain conditions". The USA has belonged to the second group since the beginning of 2017 with the introduction of the CHUS Privacy Shield.
With the removal of the USA from the list, the transfer of personal data to the USA now requires the fulfillment of one of the conditions of Art. 6 para. 2 FADP (such as contractual guarantees, binding corporate rules (BCR), or consent). The data exporter remains obliged to carry out a risk assessment in each case and, in particular, to ensure data protection's adequacy in the destination country.
However, the determination of the FDPIC and the removal of the USA from the list of states does not influence the continued existence of the CH-US Privacy Shield. The framework would have to be formally revoked by the US Department of Commerce. If a company continues to transfer personal data to the USA under the CH-US Privacy Shield without taking additional safeguards under Art. 6 para. 2 FADP, it is in breach of the data protection principles under the FADP. It thus unlawfully violates the personality of the data subjects, unless there is a legal justification, including consent, an overriding private or public interest or law.
In its policy paper, the FDPIC provides guidance on the measures to be taken by companies that transfer personal data to non-listed countries based on contractual clauses. Data exporters should consider each case with due diligence, and, in particular, verify if the receiving company in a non-listed country is subject to governmental access, and further whether the receiving company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, Swiss data exporters must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data, in particular, through encryption along with the principles of BYOK (bring your own key) and BYOE (bring your own encryption). However, encryption may not be useful for the receiving company's services beyond mere data hosting. If such technical measures are not possible, the FDPIC recommends refraining from transferring personal data to nonlisted countries based on contractual clauses.
Please note that under the current FADP, the FDPIC only has the power to issue recommendations regarding the method of processing, and, in case such recommendations are not followed or rejected, to refer the matter to the Federal Administrative Court for a decision. Under the revised Draft FADP (D-FADP, according to the current state), however, the FDPIC shall obtain extended power to issue an order to the controller directly and prohibit the data transfer abroad if it is contrary to the requirements of the D-FADP or violates provisions relating to the disclosure of personal data abroad. Responsible individuals who deliberately fail to comply with an order issued by the FDPIC may be fined up to 250,000 Swiss francs, provided that the order contains such a threat of punishment.
Therefore, Swiss companies should continue to monitor developments in this matter and watch out for further guidance of the FDPIC. Companies should also identify and document any cross-border data transfer within their organization and to third parties, and the safeguards used. Transfers relying on the CH-US Privacy Shield should be based on alternative transfer mechanisms. If Standard Contractual Clauses (SCC) are used, companies should conduct assessments in each case, as described above, and take additional contractual, technical, and organizational measures to reach an adequate protection level for the data transferred.