Even though Switzerland is not a member of the European Union and therefore not legally bound by the Schrems II ruling (which invalidated the EU-U.S. Privacy Shield), Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has reassessed the nearly identical Swiss-U.S. Privacy Shield framework in the wake of that decision, reaching a nearly identical conclusion.
On Sept. 8, the FDPIC announced that the Swiss-U.S. framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S. under Swiss law. As a result, the FDPIC has amended its so-called list of countries, which documents the adequacy of data protection in various countries. Specifically, the FDPIC has changed its assessment of the U.S. from “adequate protection under certain conditions” to “inadequate.”
However, unlike the fate of the EU-U.S. Privacy Shield following Schrems II, the Swiss-U.S. Privacy Shield technically remains valid. As explained in a policy paper also released Sept. 8, the FDPIC lacks authority to annul the regime itself. Rather, it is charged with maintaining the list of countries. Consequently, the FDPIC has added an explanatory note to that document, clarifying that the rights afforded under the Swiss-U.S. Privacy Shield “do not meet the requirements of adequate data protection as defined” by Switzerland’s data protection law.
The FDPIC’s policy paper also notes that standard contractual clauses and binding corporate rules—frequently used in Switzerland—may not satisfy the requirements of Swiss law. Thus, following the lead of the European Court of Justice in Schrems II, the FDPIC concluded that data exporters using such transfer mechanisms must conduct risk assessments and “consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data.”
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.