Switzerland: FDPIC calls into question protection afforded by Swiss-US Privacy Shield
The Federal Data Protection and Information Commissioner ('FDPIC') published, on 8 September 2020, its assessment of the Swiss-US Privacy Shield and adopted a position paper1 on the same. In particular, the FDPIC found that the Swiss-US Privacy Shield does not guarantee an adequate level of protection with regards to data transfers from Switzerland to the US. This assessment comes approximately two months after the Court of Justice of the European Union ('CJEU') published its long-awaited judgment on Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment')2 which rendered the European Commission's decision on the US-EU Privacy Shield invalid.
Background to the FDPIC's assessment
The FDPIC clarified that it maintains a list of countries ('the List')3 considered to adequately protect personal data under Article 6 of the Federal Act on Data Protection 1992 ('FADP'), while also emphasising a shared expectation of coordination between Switzerland and the EU and EEA Member States concerning the adequacy of a third country. Thus, even if as stated by the FDPIC, the Schrems II Judgment is not binding on Switzerland, after the CJEU effectively invalidated the US-EU Privacy Shield, a further need arose for coordination between Switzerland and the EU.
Also, the FDPIC noted that the US had been on its list of countries offering an adequate level of data protection since 11 January 2017 on the basis of the Swiss-US Privacy Shield. When reviewing the Swiss-US Privacy Shield, the FDPIC made some key findings, including that:
- For persons in Switzerland, there is no enforceable legal remedy for any data access by US authorities and that lack of transparency means that the FDPIC is unable to assess the effectiveness of the Ombudsman mechanism.
- The decision-making abilities of the Ombudsman and the Ombudsman's independence with respect to US intelligence services cannot be assessed.
On this basis, the FDPIC decided that this lack of transparency undermines the right to legal recourse and the principle of lawful processing of personal data.
Impact of the FDPIC's assessment
The question remains as to what the immediate impact of the FDPIC's assessment that the Swiss-US Privacy Shield is not offering adequate protection is. Notably, further to the FDPIC's review, the List has been adapted to reflect that special protection rights provided to persons in Switzerland in the context of the Swiss-US Privacy Shield do not meet the requirements of adequate data protection as defined by the FADP. Comparing the FDPIC's assessment with the Schrems II Judgment, Eugen Roesle, Senior Legal Consultant at Swiss Infosec told OneTrust DataGuidance, "Unlike the EU Commission's adequacy decisions the FDPIC's statement about the Swiss-US Privacy Shield is not legally binding in a formal sense." He continued, "Data subjects may still benefit from the (little) advantages of the Swiss-US Privacy Shield, although as a whole it does not provide an adequate level of protection."
Discussing the effect of the FDPIC's decision on the Swiss-US Privacy Shield and its impact on companies, Clara-Ann Gordon, Partner at Niederer Kraft & Frey Ltd. pointed out, "The FDPIC's assessment is a recommendation, which is only de facto legally binding and specifies how the FDPIC interprets the law. It is treated as an assumption in legal proceedings and would have to be refuted by the company that is accused of violating Swiss data protection laws. The Swiss-US Privacy Shield is, therefore, still valid and binding for the companies registered under it. However, we would encourage companies to select other bases for transferring personal data to the US."
Moreover, Sylvain Métille, Partner at HDC, commented, "Pragmatically, and in particular for existing transfers, many companies wait and see what will come out of the EDPB taskforces. The FDPIC does not seem to plan any enforcement actions and has not even asked for the dismantling of the invalidation or cancellation of the Swiss-US Privacy Shield. He continued, "The impact of the FDPIC's assessment is that companies subject to the FADP can no longer invoke with legal certainty the Swiss-US Privacy Shield when transferring data to the US. It is advisable for such companies to consider implementing additional measures to fulfil the Swiss data protection requirements."
Next steps for companies
As previously shown, the FDPIC's assessment that the Swiss-US Privacy Shield is not binding on companies and does not invalidate the Privacy Shield. However, it does raise the question of how companies should adapt to this finding when transferring data to the US.
In relation to the impact of the FDPIC's assessment and the next steps for companies, Gordon noted, "The impact of the FDPIC's assessment is that companies subject to the FADP can no longer invoke with legal certainty the Swiss-US Privacy Shield when transferring data to the US […] To begin with, Swiss companies should assess whether they rely on the Swiss-US Privacy Shield for personal data transfers to US companies. If so, the FDPIC suggests that the companies concerned implement contractual safeguarding obligations such as Binding Corporate Rules ('BCRs') or Standard Contractual Clauses ('SCCs'). However, as US authorities might be able to access a US company's database, these contractual obligations might not prove sufficient under Swiss data protection laws. In this case, Swiss companies should implement other measures such as anonymisation of personal data and/or its encryption. The company can also always rely on the data subject's consent. However, it should be kept in mind that informed consent is required and that such consent can be withdrawn at any time."
Moreover, Roesle noted, "As a preliminary measure and if not yet done, a mapping of all data transfers to third countries (especially to the US) is indispensable. As a next step, data recipients subject to special access by state authorities should be identified. If this is the case for a data recipient, the FDPIC does not consider the Standard Contractual Clauses as sufficient safeguards."
On the topic of SCCs, it is not entirely clear whether the FDPIC's assessment may impact the decision of companies to rely on SCCs when transferring data abroad. In this regard, Métille highlighted, "The SCCs are a fragile option in many cases, to be used with caution in the absence of other grounds." Furthermore, commenting on the ability of companies to rely on SCCs after the FDPIC's assessment, Gordon stated, "In our opinion, the FDPIC's recent assessment does not affect the ability of companies to rely on SCCs when transferring data from Switzerland to the US. The assessment merely shows that SCCs do not constitute sufficient legal grounds for a data transfer where (US) authorities might be able to access such data. If US authorities cannot access the US company's data, then SCCs provide a sufficient legal basis for the transfer."
The FDPIC's finding that the Swiss-US Privacy Shield coming after the Schrems II Judgment is not entirely unsurprising. Roesle commented, "In light of the fact that Switzerland longs to keep its status as a country with an adequate level of data protection, this development, may not come as a surprise." Nevertheless, this FDPIC's finding raises some interesting questions on how companies based in Switzerland will approach cross-border flows of data to the US in the future.
Suzanna Georgopoulou Privacy Analyst
Comments provided by:
Clara-Ann Gordon Partner
Niederer Kraft & Frey Ltd.
Eugen Roesle Senior Legal Consultant
Swiss Infosec AG, Zurich
Sylvain Métille Partner
1. Available at: https://www.newsd.admin.ch/newsd/message/attachments/62791.pdf
2. Available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=9791227
3. Available at: https://www.newsd.admin.ch/newsd/message/attachments/62784.pdf