Introduction

On 16 July 2020 the European Court of Justice (ECJ) declared that the European Commission's decision of 12 July 2016, which had found that the United States ensured an adequate level of protection of personal data transferred under the EU-US Privacy Shield Framework, was invalid (Judgment C-311/18).

Under the EU General Data Protection Regulation (GDPR), data controllers and data processors may transfer personal data outside the European Union only in certain limited circumstances. In particular, the transfer of personal data to countries that the European Commission deems not to provide an adequate level of data protection requires (in most cases) specific safeguards. On the other hand, where the European Commission decides that the destination country offers an adequate level of data protection, there is no mandatory requirement for specific safeguards.

In this respect, the European Commission considered that personal data transfers from the European Union to the United States benefitted from an adequate level of protection, provided that the US-based data recipient was certified under the EU-US Privacy Shield Framework. Prior to its invalidation, this framework allowed US-based entities to certify under the EU-US Privacy Shield Framework, thereby offering an equivalent level of data protection to that afforded under the GDPR.

This article examines the effect that the ECJ's decision will have on the Swiss-US Privacy Shield Framework.

ECJ judgment

In Judgment C-311/18, the ECJ found that the protection of personal data under the EU-US Privacy Shield Framework does not meet the standards required under EU law. This was primarily the result of the ECJ's findings that EU residents (non-US nationals) have insufficient legal remedies in cases where US authorities access under US national security programmes personal data pertaining to EU residents processed by US recipients certified under the EU-US Privacy Shield Framework.

On the other hand, the ECJ ruled that so-called 'standard contractual causes' (SCCs), which are safeguards under the GDPR for personal data transfers to jurisdictions that do not offer an adequate level of data protection, remain valid. However, and more importantly, the ECJ considered that data exporting parties would be responsible for verifying beforehand whether:

  • the level of protection required by the GDPR has been met in the third country with respect to the personal data transferred using the SCCs; and
  • the use of SCCs offers sufficiently strong protection.

This means that while SCCs provide a viable alternative to continue data transfers, they are not necessarily sufficient and require a case-by-case assessment; they may even require additional contractual guarantees in order to offer sufficient data protection.

Swiss context

The situation in Switzerland is uncertain at the time of writing. The Swiss-US Privacy Shield Framework remains formally valid and in effect. However, the Federal Data Protection and Information Commissioner (FDPIC) is reviewing the situation in light of the ECJ's judgment and it is likely that the Swiss-US Privacy Shield Framework will also fall in the near future. Swiss businesses are therefore strongly advised to identify any categories of personal data which they transfer from Switzerland to US-based entities that rely solely on such US-based entities' Swiss-US Privacy Shield Framework certification.

For such transfers, specific safeguards such as the SCCs (the EU's SCCs, possibly adapted to Swiss law) must be implemented, unless an exception applies. That said, in light of the ECJ's decision, Swiss businesses switching to SCCs or already using SCCs for transfers of personal data to jurisdictions not offering an adequate level of data protection for the personal data being transferred should in any case reassess the use of the SCCs and, if necessary, supplement them with additional contractual guarantees. Moreover, businesses should closely monitor new developments, in particular the outcome of the FDPIC's assessment.