The Federal Data Protection and Information Commissioner (FDPIC) of Switzerland has reassessed the data protection conformity of the Swiss-US Privacy Shield regime and concluded that it no longer provides an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP).
Following the annual assessment of the Swiss-US Privacy Shield regime and the recent CJEU ruling in case C-311/18 (“Schrems II”), the Federal Data Protection and Information Commissioner has reassessed the data protection conformity of the Privacy Shield regime and decided to delete the reference to ‘adequate data protection under certain conditions’ for the United States in the FDPIC’s list of countries providing adequate level of data protection. The remarks on the Privacy Shield regime will remain, but has been amended as follows:
“Data processors who are on the list of the US Department of Commerce and sign up to the Privacy Shield regime between the US and Switzerland in relation to personal data obtained in Switzerland shall grant special protection rightsto persons in Switzerland. However, these rights do not meet the requirements of adequate data protection as defined by the FADP.”
In its policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection, the FDPIC notes that there is currently no legal decision in Switzerland comparable to the CJEU ruling. It is therefore unclear whether Swiss courts, in applying Art. 6 of the Swiss FADP, would reach similar conclusions regarding the access to data by US authorities as the CJEU has in applying the GDPR.
In view of this situation, the FDPIC, in consideration of the general principle of the rule of law and the need for legal certainty, feels compelled not only to reassess the current position of the US on the list, but also to provide more detailed legal justification for any amendment to it.
“Because there is no guarantee of rights that would afford persons concerned in Switzerland protection comparable to that afforded by Art. 13 paras 2 and 29 ff. FC, Art. 8 ECHR and Art. 4 FADP, the FDPIC considers that data protection within the meaning of Art. 6 Para. 1 FADP is insufficient in the US, even for the processing of personal data by US companies that are certified under the Privacy Shield regime. As a result of this assessment based on Swiss law, the FDPIC concluded that the indication ‘Adequate level of protection under certain circumstances’ had to be removed for the US in the FDPIC’s list of countries.”
The policy paper contains preliminary advice for Swiss companies that transfer personal data to ‘non listed’ countries. For example the FDPIC recommends that the Swiss data exporters must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data.
Read more from FDPIC’s position paper here.