View more from News & Articles or Primerus Weekly

By Mauro Loosli & Jennifer Ehrensperger, Suter Howald Attorneys at Law, Zurich, Switzerland

According to the Federal Act on Data Protection, personal data may only be legally transferred and disclosed to countries like the United States, that are considered having a legislation that does not guarantee adequate protection to the privacy of data subjects, if sufficient safeguards ensure an adequate level of protection. So far, the so-called Swiss-US Privacy Shield regime, similar to the EU-US Privacy Shield, Standard Contractual Clauses (SCC) or group-wide “Binding Corporate Rules” were considered sufficient to allow a transfer of personal data from Switzerland to the United States.

In its decision C-311/18 of 16 July 2020, known as "Schrems II", the European Court of Justice (ECJ) declared the EU-US Privacy Shield to be ineffective with immediate effect. According to the decision, US requirements of national security, the public interest or the enforcement of laws take precedence over the principles of the Privacy Shield and data subjects do not have effective legal remedies.

For Switzerland, not being a member state of the European Union, the “Schrems-II” decision is not binding. However, in the annual joint review provided for by the Privacy Shield regime, the Federal Data Protection and Information Commissioner (FDPIC) re-assessed the situation. Based thereon, the FDPIC issued a Policy Paper (see “Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection" of 8 September 2020) and, as expected, considers also the Swiss-US Privacy Shield to be no longer sufficient for a permissible transfer of personal data from Switzerland to a recipient in the USA due to the lack of guarantees of data subjects’ rights comparable to those in Switzerland.

In the Policy Paper, the FDPIC has also commented on the use of Standard Contractual Clauses and, thereby, stated that it must be assumed that SCC and comparable clauses in many cases do not meet the requirements for contractual guarantees. Like in the “Schrems-II” decision, the reasons were in summary that access to personal data by authorities may not be prevented and a lack of transparency and legal protection of data subjects.

The FDPIC, therefore, recommends the following procedure for the transfer of personal data to the United States or other states without a legislation that guarantees adequate protection based on SCC:

  1. A risk assessment must be carried out. In doing so, the data exporter shall check whether the clauses cover the data protection risks existing in the importing state. If necessary, the clauses shall be amended (whereby such amendments are of limited effect in the event of a derogatory precedence of the public law of the importing state).
  2. When examining data protection risks, it is particularly relevant whether the personal data is transferred to a company in the importing state that is subject to special access by the local authorities (such as e.g. Electronic Communication Service Providers under Section 702 FISA and EO 12 333). Further, it must be checked whether the importing company is entitled and in a position to provide the cooperation required to enforce Swiss data protection principles. If this is not the case, the obligations to cooperate contained in the SCC run into the void.
  3. If access to the transferred personal data by local authorities abroad is possible and if the data importer is unable to enforce Swiss data protection principles, the Swiss data exporter must consider technical measures that effectively prevent access by the foreign authorities to the transferred personal data (e.g. BYOE [bring your own encryption] or BYOK [bring your own key] encryption). Insofar as the implementation of such measures is not possible, the FDPIC recommends not transferring personal data to the state in question based on standard contractual clauses.

The FDPIC’s assessment is subject to any judgements of Swiss courts. However, like for data transfers from the European Union, also data transfers from Switzerland to the United States must be reassessed on the basis of the new Policy Paper of the FDPIC and the “Schrems-II” decision. Thereby, the above principles are also applicable for intra group transfers of personal data such as H.R. data between US or Swiss headquarters and their Swiss or US subsidiaries, respectively, which should all review the basis and procedures for transfer of personal data between Switzerland and the United States.

The general information contained herein is intended for informational purposes only. It is not intended to be, and should not be construed as, legal advice or legal opinion on any specific facts or circumstances.