- The European Court of Justice declared the "EU-U.S. Privacy Shield" to be invalid and the European standard contractual clauses to be an insufficient legal basis for the transfer of personal data to the USA. Swiss companies that are not subject to the GDPR are not directly affected by this European decision.
- Based on the European decision, the FDPIC no longer regards the "Swiss-U.S. Privacy Shield" as a sufficient guarantee for data transfers to the USA and the European standard contractual clauses no longer as an unconditional justification for cross-border data transfers.
- Swiss companies are advised to reconsider the legal basis for their cross-border data transfers and to introduce appropriate additional protective measures.
In its landmark decision C-311/18 of 16 July 2020 ("Schrems II"), the European Court of Justice ("ECJ") decided that:
- the "EU-U.S. Privacy Shield" – a US self-certification program in which US corporations promise to comply with data protection according to European standards – is no longer a valid basis to legally transfer personal data to a US based company under the GDPR. The ECJ responds with this restriction to the comprehensive surveillance measures of the USA, which are not sufficiently limited by the "EU-U.S. Privacy Shield"; and
- personal data may no longer be transferred readily to countries without an adequate data protection based on the European standard contractual clauses ("SCC"). The data controller may need to take additional protective measures on a case-by-case basis or to refrain from exporting personal data to the country in question if protection is not guaranteed despite the SCC. The SCC therefore remain legally valid, but require more in-depth analysis and the implementation of additional protective measures taking into account the law of the country to which the data are transferred to.
Are Swiss companies affected by this decision?
The ECJ decision has no direct impact on Switzerland, as Switzerland is not a contracting party to the "EU-U.S. Privacy Shield" and is not directly bound by the decisions of the ECJ.
However, based on the abovementioned European decision, the Federal Data Protection and Information Commissioner ("FDPIC") declared on 8 September 2020 that data protection in the USA is not sufficient, even for the processing of personal data by US companies that are certified under the "Swiss-U.S. Privacy Shield" (cf. statement of the FDPIC). Since the FDPIC is not authorized to invalidate the "Swiss-U.S. Privacy Shield", FDPIC's assessment is subject to any deviating rulings by Swiss courts or the Swiss Parliament. Further, the FDPIC considered that in many cases the SCC do not provide a sufficient legal basis to transfer personal data in third countries without adequate data protection regulations within the meaning of art. 6 para. 2 of the Federal Act on Data Protection.
This assessment leads to implications for Swiss companies. Firstly, Swiss companies may no longer base their data exports to the USA exclusively on the "Swiss-U.S. Privacy Shield". Secondly, Swiss companies may further rely on the SCC when exporting personal data to third countries without adequate data protection. They, however, must check whether the SCC cover the data protection risks existing in the country of the recipient party.
We note that compliance with data protection regulations is of particular importance, as a violation of these regulations, in particular the GDPR, can result in major damage to the company's reputation and significant monetary sanctions, also depending on the severity of the breach.
Need for Action?
Data exports from Switzerland to third countries (no application of GDPR)
For Swiss companies that have so far based their cross-border data transfers to the USA solely on the "Swiss-U.S. Privacy Shield", we recommend to implement alternative protective measures for future data transfers in order to minimize the risk of a potential unauthorized transfer.
Such alternative protective measures may include, for example, the conclusion of SCC or the obtaining of consent of the persons concerned (not recommended since the person concerned may revoke its consent at any time). With regard to the SCC, however, one should consider that they no longer guarantee per se a lawful data transfer to third countries without adequate data protection.
Swiss companies that have based (or intend to base) their cross-border data transfers on the SCC are required to carry out a risk assessment. This will be used to check whether the SCC cover the data protection risks existing in the country of the recipient party, i.e. whether the SCC provide sufficient protection of the transferred data in the recipient country against access by domestic authorities. We recommend reviewing the existing SCC and, if necessary, supplementing them by additional protective measures.
Such additional protective measure may include: (i) introduction of comprehensive documentation requirements as to which data are disclosed to which parties and for which purposes, (ii) only transmission of anonymized or encrypted data, whereby the key for decryption remains in Switzerland, (iii) conclusion of additional agreements requiring the data recipient to exhaust all legal and technical means to prevent unlawful access to the personal data by domestic authorities, (iv) obtaining third-party expert opinions on the level of and compliance with data protection in the recipient country.
Data exports from Switzerland to third countries (application of GDPR)
Swiss companies that are subject to the GDPR, for example because they offer goods or services to persons in the EU or process personal data on behalf of data controllers established in the EU, must consider alternative protective measures if personal data of EU residents are transferred to companies in the USA on the basis of the "EU-U.S. Privacy Shield". As stated above, the "EU-U.S. Privacy Shield" no longer forms a valid basis for data transfer to the USA.
A reasonable alternative is provided, for example, by the SCC that are adapted to Swiss requirements, reviewed in terms of content and supplemented if necessary. For further alternative or additional protective measures, please refer to the information in the previous section.