Switzerland: FDPIC provides guidance on third-country data transfers
The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 18 June 2021, its guide for checking the admissibility of data transfers with reference to foreign countries in accordance with Article 6(2) of the Federal Act on Data Protection 1992 ('FADP'). In particular, the guide provides a flowchart detailing the actions required by organisations to ensure data transfers are made in compliance with the FADP and notably elaborates on the requirement under Article 6(2) of the FADP that, for transfers to a third country which does not appear on the FDPIC list of adequate countries, sufficient safeguards must be provided to ensure adequate data protection.
More specifically, the guide outlines that for such transfers, Standard Contractual Clauses ('SCCs') should, as a rule, be used for the legal basis. Furthermore, the guide stipulates that the data exporter must keep detailed records of the data transfer clarifying a number of details, including whether the personal data is going to be processed by companies that are subject to legal systems in third countries, for example US cloud providers with servers in Switzerland, the EU, or the EEA.
Four essential guarantees
The guide further provides, with reference to the possibility of state access requests and data subject rights, that the data exporter must assess whether such access and rights are compatible with Swiss data protection law and Swiss constitutional principles. More specifically, the guide outlines that the data exporter must assess whether the following are legally guaranteed in the third country:
- the principle of legality, ensuring clear, precise, and accessible rules on the powers of public authorities and purposes of data access;
- proportionality of the powers and measures regarding regulatory objectives pursued;
- effective legal remedies for data subjects in Switzerland; and
- legal recourse and access to an independent and impartial court.
Further to the above, the guide outlines that the applicable legislation in the country of destination, the practices of the administrative and judicial authorities, and case law must be included in the assessment, and expressly stipulates that subjective factors, such as likelihood of access, can generally not be considered.
The guide then outlines that where the four aforementioned guarantees can be ensured, the only further required consideration in the implementation of SCCs is whether further contractual measures for individual protection (i.e. not against state access) are necessary, including enhanced rights for data subjects (e.g. right to information), data transfers made conditional on technical measures being in place, enhanced powers for data exporters by requiring data importers to allow inspections of and to be held accountable for data processing systems, and clauses that enable and provide for rapid data backup procedures when needed.
Additional technical and organisational measures to ensure four essential guarantees
On the other hand, the guide outlines that if the four aforementioned guarantees are not comprehensively provided in the third country, additional technical and organisational measures that serve as substitutes for the missing four guarantees must be examined in advance in each case, emphasising that such measures must be such that the authorities in the destination country are effectively denied access to the personal data. Further to this, the guide draws on the specific example of cloud data storage by third-country service providers, providing in this case that encryption would be conceivable if the principles of 'bring your own key' ('BYOK') and 'bring your own encryption' ('BYOE') are implemented, but that in the case of services in the target country that go beyond simple data storage, the use of such technical measures is challenging.
Finally, the guide stipulates that if additional measures cannot compensate for the identified deficiencies in fulfilling the four guarantees and that there is therefore no sufficient guarantee pursuant to Article 6(2)(a) of the FADP, the data transfer abroad must be suspended or terminated immediately. Additionally, the guide provides that, in the case that additional measures can effectively ensure the four guarantees, the data exporter must, in any case, regularly review the technical and legal requirements.
You can download the guide here.