LAUX LAWYERS AG Policy Alert: Swiss–U.S. Privacy Shield according to FDPIC no longer a suitable basis for the transfer of personal data to the U.S.
In a Statement published on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) concludes that the Swiss–U.S. Privacy Shield is no longer a suitable basis for the transfer of personal data to the U.S. In future, companies must therefore base such data transfers on another suitable guarantee within the meaning of Art. 6 para. 2 of the Swiss Federal Data Protection Act (FDPA; Art. 13 para. 2 or Art. 14 of the revised FDPA). In this LAUX LAWYERS AG Policy Alert you will find our assessment of the FDPIC’s Statement and our recommendations for action.
The FDPIC made the Statement in the context of his annual review of the Swiss–U.S. Privacy Shield program and in particular against the background of the recent case law of the Court of Justice of the European Union (CJEU) on cross-border data transfer (Schrems II, judgement of July 16, 2020, in which the CJEU invalidates the EU–U.S. Privacy Shield program; see our column on Inside IT).
U.S. now no longer among the states with a partially adequate level of data protection
At the same time, on September 8, the FDPIC updated his list of states whose legislation, according to his assessment, guarantees an adequate level of data protection (List of States). The List of States distinguishes between states with an adequate level of protection, states that offer an adequate level of protection subject to further conditions and states without an adequate level of protection.
The FDPIC previously listed the U.S. under “adequate level of protection subject to further conditions”. Swiss companies could – in relation to U.S. companies that are Swiss–U.S. Privacy Shield certified – presume that a transfer of personal data to such U.S. companies would not infringe the personality of the persons concerned and would therefore be lawful in the sense of Art. 6 para. 1 FDPA. This presumption no longer applies. This is because the U.S. now appears on the list of states as one of the states without an adequate level of data protection.
Transfer abroad under the revised FDPA
Note: In the future (Art. 13 para. 1 of the revised FDPA), the Federal Council (probably on the recommendation of the FDPIC) will (formally) decide which states grant a level of data protection equivalent to that provided by the (revised) FDPA in their legislation. This will increase the legal certainty for Swiss companies insofar as a positive decision by the Federal Council will no longer merely give rise to a presumption of adequacy with regard to states, but will allow data transfers to companies in such states without further examination as if it were a transfer within Switzerland. For transfers to all other states, Swiss companies must continue to implement other guarantees (Art. 13 para. 2 or Art. 14 DPA), e.g. Standard Contract Clauses.
Standard Contractual Clauses as a possible basis for data transfers
As the CJEU already did in the Schrems II decision, the FDPIC also generally comments on the use of so-called Standard Contractual Clauses as a possible basis for data transfers to the U.S. and other states without an adequate level of data protection. The FDPIC states that contractual guarantees are generally not suitable for preventing access to personal data by the authorities of the importing state as provided for under the laws of that state.
If, at the same time, there is insufficient transparency and legal protection for data subjects in this country of import or if it can be assumed for other reasons that the importing company will not be able to comply with the contractual agreements, contractual guarantees are not suitable to legitimize a data transfer to such a country. In such cases, according to the FDPIC, even Standard Contractual Clauses are therefore not a suitable basis for a data transfer to a country without an adequate level of data protection.
Case-by-case analysis and additional guarantees necessary
Accordingly, according to the FDPIC, it must be generally assumed that the Standard Contractual Clauses and comparable contractual safeguards “in many cases do not meet the requirements for contractual guarantees according to Art. 6 para. 2 lit. a FDPA for data transfers to non-listed countries”.
In this abstract and sweeping form, this has some explosiveness and far-reaching consequences for Swiss companies wishing to transfer personal data to companies in states without an adequate level of data protection:
- In the context of a case-by-case analysis, the exporting company must examine with particular care whether data protection risks exist in a state and whether these can be mitigated with Standard Contractual Clauses or additional individually negotiated clauses (which regularly fails where data protection risks manifest themselves in the laws of the state in question).
- In this examination, the exporting company must analyze, in particular
- whether the data will be transferred to a company that is subject to specific access by the local authorities. In the U.S., these are in particular so-called Electronic Service Providers, which (according to the FDPIC) fall under “US mass surveillance laws”; and
- whether the importing company in the recipient state is entitled and, in a position, to provide the cooperation necessary to enforce Swiss data protection principles.
Given the practical implications of the FDPIC’s Statement that the risk of access by authorities cannot be averted by implementing contractual guarantees such as the Standard Contractual Clauses, one would have hoped for a somewhat more differentiated and substantive analysis of, for example, the relevant mass surveillance laws and the associated risk to the personal rights of data subjects. In other words, the consequence of the FDPIC’s sweeping and abstract findings is the following:
The Swiss company exporting personal data has a comprehensive duty to analyze the risk of access by the authorities in the importing state and the duty to check in advance and continuously that the importing state is complying with the Standard Contractual Clauses in each individual case. This requires an analysis of the level of data protection granted by the legal system of the importing state. Swiss companies must use probability tests in their risk assessments. The depth of the examination must be determined in the light of the burden of proof (which will be distributed differently with regard to the criminal provision than in the case of allegations of infringement by a person concerned).
What should be done now?
Despite the FDPIC’s Statement on the Swiss–U.S. Privacy Shield program and the use of contractual guarantees (such as Standard Contractual Clauses), which at first glance seems to be a drastic one, we advise Swiss companies to proceed in a considered and rational manner:
- A first, important step will certainly be to obtain an overview of whether, in the course of ongoing data processing, personal data is being transferred to companies in countries that do not offer an adequate level of protection according to the FDPIC’s List of States. As a rule of thumb, these are all countries outside the EU and EEA with the exception of Argentina, Canada, New Zealand, Uruguay, the United Kingdom and Israel.
- It must also be examined whether and in which cases the Swiss company has so far based data transfers to companies in the U.S. solely on the Swiss–U.S. Privacy Shield program. In these cases, a more in-depth analysis or contact with the data importer is recommended in order to examine the possibility of alternative guarantees.
- If the Swiss company uses Standard Contractual Clauses as guarantees for a data transfer, in certain cases an in-depth analysis of the possible risks for data subjects is advisable in individual cases. It is worth taking a considered approach. In such situations, talking to the data importer and consulting experienced specialists can do much to provide clarity and avoid hasty decisions with possibly far-reaching financial consequences.
The Advisors of LAUX LAWYERS AG have many years of practical experience in the field of international data transfers, particularly in connection with the use of cloud solutions and online platforms. They will be happy to assist you in planning the relevant and correct course of action for your company and to accompany its implementation.