While not outright eliminating the Swiss-U.S. Privacy Shield, the Swiss Data Protection Authority, the Federal Data Protection and Information Commissioner (FDPIC), announced in a position paper on September 8, 2020 that he no longer considers the Swiss-U.S. Privacy Shield adequate for the transfer of personal data from Switzerland to the U.S.
The Commissioner’s position paper follows an annual assessment of the Swiss-U.S. Privacy Shield regime and echoes a recent ruling on data protection by the Court of Justice of the European Union (CJEU) in the case known as Schrems II. The Commissioner reasoned that, although the regime guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transferred from Switzerland to the U.S. pursuant to Switzerland’s Federal Act on Data Protection (FADP). Consequently, the U.S. is now classified as having an “insufficient” level of data protection to support international data transfers without restrictions.
Like the CJEU ruling, the Commissioner also concluded in the position paper that the use of alternative data transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules, would require companies to conduct a risk assessment. In cases where the assessment indicates that personal data is not adequately protected, businesses would potentially need to implement additional safeguards.
Notably, the FDPIC does not have the authority to invalidate the Swiss-U.S. Privacy Shield Framework outright, and its position is subject to any rulings to the contrary by Swiss courts. But, in light of the CJEU ruling in Schrems II and the Commissioner’s policy paper, companies should consider alternatives to relying on the Swiss-U.S. Privacy Shield framework as a valid data transfer mechanism.
Given that the FDPIC’s rationale for its new position is based on essentially the same rationale as the Schrems II decision, it is possible that methods for addressing the Schrems II decision would be equally effective in addressing this Swiss development, in at least some cases. Some of ZwillGen’s original proposals for such measures appeared in our article Supplementing SCCs to Solve Surveillance Shortfalls. Note, however, that Swiss law explicitly allows certain alternative legal exceptions for transfers that the GDPR does not (see Art. 6(2) of the FAPD), so the full range of options differs.