Transfer of Personal Data from Switzerland to the United States to be Re-assessed
Business Law Articles
View more from News & Articles or Primerus Weekly
By Mauro Loosli & Jennifer Ehrensperger, Suter Howald Attorneys at Law, Zurich, Switzerland
According to the Federal Act on Data Protection, personal data may only be legally transferred and disclosed to countries like the United States, that are considered having a legislation that does not guarantee adequate protection to the privacy of data subjects, if sufficient safeguards ensure an adequate level of protection. So far, the so-called Swiss-US Privacy Shield regime, similar to the EU-US Privacy Shield, Standard Contractual Clauses (SCC) or group-wide “Binding Corporate Rules” were considered sufficient to allow a transfer of personal data from Switzerland to the United States.
In its decision C-311/18 of 16 July 2020, known as "Schrems II", the European Court of Justice (ECJ) declared the EU-US Privacy Shield to be ineffective with immediate effect. According to the decision, US requirements of national security, the public interest or the enforcement of laws take precedence over the principles of the Privacy Shield and data subjects do not have effective legal remedies.
For Switzerland, not being a member state of the European Union, the “Schrems-II” decision is not binding. However, in the annual joint review provided for by the Privacy Shield regime, the Federal Data Protection and Information Commissioner (FDPIC) re-assessed the situation. Based thereon, the FDPIC issued a Policy Paper (see “Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection" of 8 September 2020) and, as expected, considers also the Swiss-US Privacy Shield to be no longer sufficient for a permissible transfer of personal data from Switzerland to a recipient in the USA due to the lack of guarantees of data subjects’ rights comparable to those in Switzerland.
In the Policy Paper, the FDPIC has also commented on the use of Standard Contractual Clauses and, thereby, stated that it must be assumed that SCC and comparable clauses in many cases do not meet the requirements for contractual guarantees. Like in the “Schrems-II” decision, the reasons were in summary that access to personal data by authorities may not be prevented and a lack of transparency and legal protection of data subjects.
The FDPIC, therefore, recommends the following procedure for the transfer of personal data to the United States or other states without a legislation that guarantees adequate protection based on SCC:
The FDPIC’s assessment is subject to any judgements of Swiss courts. However, like for data transfers from the European Union, also data transfers from Switzerland to the United States must be reassessed on the basis of the new Policy Paper of the FDPIC and the “Schrems-II” decision. Thereby, the above principles are also applicable for intra group transfers of personal data such as H.R. data between US or Swiss headquarters and their Swiss or US subsidiaries, respectively, which should all review the basis and procedures for transfer of personal data between Switzerland and the United States.
The general information contained herein is intended for informational purposes only. It is not intended to be, and should not be construed as, legal advice or legal opinion on any specific facts or circumstances.