Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country's Federal Act on Data Protection (FADP).
How did they do it?
Switzerland is not a member of the EU or the EEA; therefore, it was not technically bound by the CJEU's decision in Schrems 2.0. However, demonstrating the decision's significance, the FDPIC proactively undertook a review of the Swiss-U.S. Privacy Shield and effectively reached the same conclusion as the CJEU – that the Privacy Shield was not fit for its purpose.
The
policy paper published by the FDPIC explains clearly the rationale:
- Article 6 of the FADP prohibits cross-border transfers of personal data if the transfer seriously endangers the subjects' privacy (in particular due to the lack of legislation granting adequate protection).
- To aid in the assessment of whether a given country lacks adequate protection, the FDPIC maintains a list where the level of data protection in foreign countries is categorized as:
- adequate;
- adequate under certain circumstances; or
- insufficient.
Prior to the review, the United States fell into Category B (adequate under certain circumstances), as the FDPIC assumed an adequate level of protection only for those U.S. businesses that had obtained a certification under the Swiss-U.S. Privacy Shield regime.
Following the review, the United States was downgraded to Category C (insufficient), with an explanatory note stating that the Privacy Shield regime does not meet the requirements of adequate data protection required by the FADP. This downgrade was based on the lack of an enforceable legal remedy with regard to data access by U.S. authorities, violating certain rights enjoyed by Swiss data subjects. This is in line with the CJEU's rationale for striking down the EU-U.S. Privacy Shield.
However, unlike the CJEU, the FDPIC is a data protection authority and not a judicial decision-making body. As such, the Swiss-U.S. Privacy Shield is still legally valid – although the FDPIC is likely to frown on organizations who seek to rely on it to facilitate international data transfers between Switzerland and the United States.
What does it mean?
Transfers that were previously based on the Swiss-U.S. Privacy Shield framework may now need to be restructured using standard contractual clauses or binding corporate rules, although it should be stressed that these solutions are not easy fixes. The FDPIC explicitly states that these, too, may fail to meet the legislation's standards, as they do not prevent excessive data access by U.S. authorities.
Businesses impacted by the Swiss Commissioner's decision should carefully consider the recommendations given by it in its policy paper. Notably:
- If using contractual provisions, have these been expanded as much as possible?
- Is the transferred data subject to excessive access rights by local authorities?
- If so, which technical solutions can be implemented to limit access to the transferred data?
As the repercussions of Schrems 2.0 continue to unravel, these questions will become of crucial importance.