Swiss data protection legislation guarantees the security and protection of personal data, especially when exchanging data with foreign countries. For data transfers from Switzerland to the USA, it was previously possible to obtain certification under the CH-US Privacy Shield, thus ensuring a partially adequate level of data protection for data processed in the USA.
In a long-awaited decision, the Court of Justice of the European Union (CJEU) has invalidated the EU-US Privacy Shield this July 2020 (read the article here). In its annual joint review, the Federal Data Protection and Information Commissioner (FDPIC) has followed suit and declared the CH-US Privacy Shield does not provide for an adequate level of protection when transferring data from Switzerland to the USA and adapted the country list. His conclusion is therefore in line with the European jurisdiction. Since Switzerland is not a member of the European Union (EU), EU legislation is not binding for Switzerland. However, in view of the latest assessments of the FDPIC and the CJEU and since Swiss companies might also be subject to EU law and therefore be liable for its correct application (e.g. if they process personal data in the EU), there is now an urgent need for action.
First of all, it must be determined whether personal data is exchanged with the US at all and how an adequate level of data protection is currently guaranteed. If this exchange is based on a Privacy Shield, other measures must be taken to transfer personal data in accordance with data protection rules. Else, the existing guarantees shall be reviewed and, if necessary, adapted, e.g. by enhancing the technical and organizational measures. The measures that might be used for data transfers to the USA are appropriate contracts or the consent of the persons concerned. With the revision of the Federal Act of Data Protection (FADP), standard contractual clauses (SCC) are also envisaged in Switzerland. Nevertheless, these alone do not provide for an adequate level of data protection but must be reviewed on a case-by-case basis, if necessary, supplemented with additional guarantees. The key point is that the guarantees provided in the SCC or contracts might be monitored and effectively implemented by US companies in practice. Otherwise there is only the option of stopping the data transfer - at least temporarily - or to switch to providers in Europe.
Both the FDPIC and the responsible authorities in the EU are currently analysing the situation and aim to publish further guidance on how to handle data transfer to the USA as soon as possible. Until then and beyond, our experienced team of data protection specialists will be happy to assist you. Furthermore, we will also be hosting a webinar on this topic in the coming weeks to create clarity and remove uncertainty. We will inform you in due course through our usual channels.