Employees privacy rights and their protection in the cross-border transfer of data have been the subject of a significant controversy in Switzerland in the past couple of weeks. Further to an investigation opened by the New York Attorney General against several Swiss banks for allegedly assisting U.S. tax payers in tax evasion, six Swiss banks transmitted to the United States Department of Justice information about 7,000 to 10,000 of their employees, former employees, portfolio managers and counsels. The disclosed information included the name, title, and position of the individuals, copies of internal documents prepared by these employees, and a list of phone calls placed by them to or from the United States. The banks' disclosure of the name of their employees who had had access to the Swiss banking information of U.S. tax payers violates the employees' privacy rights under Swiss law, including the Federal Data Protection and Information Act, and was carried out on the basis of a special authorization (the validity of which is challenged) from the Federal Council of the Swiss Confederation, the validity of which is challenged. Between June and August several former bank employees filed criminal complaints before the Attorney General of Switzerland, and applied to the Geneva and Zurich civil courts, seeking both access to the documents transferred and enjoining the banks from transmitting any further employee information. Subsequent to an investigation by the Swiss Privacy Commissioner, the banks were ordered to immediately stop delivering personnel information to the U.S. Department of Justice. While the criminal proceedings are on-going, a Geneva district court recently granted an employee's emergency provisional measure and enjoined at least one bank from delivering any data that contained the name of the plaintiff.
Tip: Companies operating in foreign countries should keep in mind their local privacy obligations when transferring data across borders. This case reminds us that cross-border transfers to the U.S. are not always viewed as permissible under local law. In Switzerland, one way a company can transmit employee data in compliance with Swiss law is if the recipient participates in the U.S.-Swiss Safe Harbor program. Other methods exist, however any cross-border transfer should be carried out in cooperation with legal counsel, particularly in cases where prior approval from the Swiss Privacy Commissioner may be required.