The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”
In a seven-page policy paper, the FDPIC observed that although Switzerland is not bound by the CJEU’s Schrems II decision and there is no comparable Swiss legal decision, it nonetheless felt “compelled not only to reassess the current position of the US on” Switzerland’s list of countries with adequate data protections, “but also to provide more detailed legal justification for” its decision to amend that list with respect to the US.
Tracking the Schrems II decision, the FDPIC concluded that the potential impact of US surveillance laws on Swiss residents’ personal data without adequate redress is “irreconcilable with” the privacy rights guaranteed by FADP. The FDPIC reasoned: “Because there is no guarantee of rights that would afford persons concerned in Switzerland protection comparable to that afforded by [Swiss law], the FDPIC considers that data protection within the meaning of Art. 6 Para. 1 FADP is insufficient in the US, even for the processing of personal data by US companies that are certified under the [Swiss-US Privacy Shield] regime.”
The FDPIC noted that it does not have the authority to invalidate the Swiss-US Privacy Shield regime and its assessment is “subject to any deviating rulings by Swiss courts.” Consequently, the regime “can be invoked by persons concerned in Switzerland as long as it is not revoked by the USA.” However, the FDPIC amended its list to indicate that the rights provided by the regime “do not meet the requirements of adequate data protection as defined in the FADP.”
The FDPIC also tracked the Schrems II decision with respect to the use of Standard Contractual Clauses (SCCs) and binding corporate rules. The FDPIC concluded that those contractual safeguards “cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protections of the persons concerned.” The FDPIC was quick to point out that this was true not only for transfers to the US, but to other non-adequate countries as well.
The FDPIC concluded by providing three practical tips for Swiss companies transferring data to countries where there is not an adequacy determination.
First, companies relying on contractual provisions, such as SCCs, must conduct a risk assessment and expand contractual clauses (if possible) to address the law of the receiving country.
Second, companies need to consider whether the law in the receiving country permits the transferred data to be “subject to special access by local authorities” and whether the receiving company is in the position to enforce Swiss data protection principles.
Finally, in such situations, the Swiss data exporter “must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data.” According to the FDPIC:
If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.
As noted in our prior post, the EDPB and European Commission are on track to provide further guidance on cross-border data transfers in light of Schrems II in the coming months.