Swiss-US Privacy Shield No Longer Provides an Adequate Level of Data Protection


Your contacts

Today, 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued a press release announcing it no longer considers the Swiss-US Privacy Shield regime to provide an adequate level of data protection. The FDPIC has taken its time to consider the July 2020 Schrems II decision by the Court of Justice of the European Union (“CJEU”), which found the EU-US Privacy Shield to be inadequate. It has now issued this decision on the basis of its own annual assessment of the virtually identical Swiss-US Privacy Shield.

Together with the press release, the FDPIC published a position paper intended to provide some guidance on what its decision means for Swiss businesses that transfer personal data to the USA or other countries on the FDPIC list of countries that do not provide an adequate level of data protection. The position paper explains that the Swiss-US Privacy Shield is inadequate in particular because of a lack of transparency and lack of a right of legal recourse. Access to personal data by the US authorities is not transparent and individual data subjects in Switzerland are not able to enforce resultant legal claims for breach of their data privacy rights. The Ombudsman who would nominally be able to hear such claims has no real power to implement the self-regulatory rules under the Privacy Shield.

The FDPIC also clarifies that neither the often-used Standard Contractual Clauses (“SCC“) nor Binding Corporate Rules (“BCR“) are capable of preventing access to personal data by foreign authorities if the law of the importing country allows officials to access such data without sufficient transparency and legal protection for data subjects. According to the FDPIC, this not only applies to the USA. An assessment must be made for every country that does not provide an adequate level of data protection. This is a very unfortunate decision by the FDPIC for Swiss businesses.

The position paper does try to offer some practical advice for businesses transferring personal data countries with an inadequate level of data protection such as the USA. In particular, the guidance suggests:

  • The data exporter must always carry out a case-by-case assessment with due care and diligence.
  • When using contractual guarantees (e.g. SCCs and BCRs) for a data transfer, the data exporter must carry out a risk assessment to check that the contractual guarantees cover the risks existing in the third country, such as access to the data by government surveillance operations without the possibility of legal recourse for the data subject. If this is not the case, the contractual guarantees need to be amended to address these risks. (Note: the European Commission has already indicated that it will publish amended SCCs by the end of this year.)
  • If contractual guarantees cannot provide an adequate level of data protection, the data exporter must consider technical measures that prevent the authorities in the country of the data importer from accessing such personal data. For example, when using a cloud provider in a country that does not provide an adequate level of data protection, encryption technology may be used as a technical measure provided it is implemented on the basis of the principle of bring-your-own-key or bring-your-own-encryption, meaning that the data importer cannot decode the data at all. If that is not possible, according to the FDPIC transfers of personal data to countries with an inadequate level of protection should be stopped altogether.

This decision poses major hurdles for internationally active businesses as it drastically limits the possibilities to transfer personal data abroad in a legally compliant way. The practical advice offered by the FDPIC so far does not provide any real assistance to businesses trying to act in compliance with the law. In its position paper, the FDPIC promises further guidance for data exporting businesses, and it can only be hoped that this further guidance, when it comes, will take into consideration the need for businesses to transfer data without too many administrative and technical burdens.

The position paper of the FDPIC is available here. Please reach out to us if you would like to discuss this further. We would be happy to talk with you about the impact of the FDPIC’s decision on your business and suitable solutions for your international data transfers.


Share post



most read


Highlights

MLL Legal

MLL Legal is one of the leading law firms in Switzerland with offices in Zurich, Geneva, Zug, Lausanne, London and Madrid. We advise our clients in all areas of business law and stand out in particular for our first-class industry expertise in technical-innovative specialist areas, but also in regulated industries.

MLL Legal

Newsletter

Much is still unclear in relation to liability questions around AI tools.

Read our latest post about “Liability during the Lifecycle of an AI Tool” and download our white paper.

Show article.

Our Story

MLL Legal is a leading Swiss law firm with a history that dates back to 1885. The firm has grown both organically and by means of strategic mergers, the latest of which took place on 1st July 2021 between Meyerlustenberger Lachenal and FRORIEP.

The merger establishes MLL Legal, a combined new entity as one of the largest commercial law firms in Switzerland with 150 lawyers in four offices in Switzerland and two offices abroad, in London and Madrid serving clients seeking Swiss law advice.

Our firm has a strong international profile and brings together recognised leadership and expertise in all areas of law affecting commerce today, with a focus on high-tech, innovative and regulated sectors. 

About us

Publications

Click here for our latest publications

COVID-19

Read all our legal updates on the impact of COVID-19 for businesses.

COVID-19 Information

Job openings

Looking for a new challenge?

Our talented and ambitious teams are motivated by a common vision to succeed. We value open and straightforward communication accross all levels of the organisation in a supportive working environment.

Job openings

Firm News

Click here for our latest firm news.

Our Team

The regulatory and technological landscape continually require businesses to adapt and evolve.
Our 150+ lawyers are continuously innovating and striving for improvement in everything they do. We embrace new ideas and technologies, combining our wealth of expertise with creative thinking and diligence. With our hands-on approach, we implement viable solutions for the most complex legal challenges.

Our Team.

LexCast – the podcast series by MLL NexGen

Smart legal education on the go. The LexCast hosted by MLL NexGen provides legal insights in a short format that allows listeners to educate themselves on and about legal issues wherever they are and whenever they find the time.

Listen to our podcast series – stay tuned.

MLL Legal on Social Media

Follow us on LinkedIn.