Today, 8 September 2020, the Swiss Federal Data Protection and Information Commissioner ("FDPIC") issued a press release announcing it no longer considers the Swiss-US Privacy Shield regime to provide an adequate level of data protection. The FDPIC has taken its time to consider the July 2020 Schrems II decision by the Court of Justice of the European Union ("CJEU"), which found the EU-US Privacy Shield to be inadequate. It has now issued this decision on the basis of its own annual assessment of the virtually identical Swiss-US Privacy Shield.
Together with the press release, the FDPIC published a position paper intended to provide some guidance on what its decision means for Swiss businesses that transfer personal data to the USA or other countries on the FDPIC list of countries that do not provide an adequate level of data protection. The position paper explains that the Swiss-US Privacy Shield is inadequate in particular because of a lack of transparency and lack of a right of legal recourse. Access to personal data by the US authorities is not transparent and individual data subjects in Switzerland are not able to enforce resultant legal claims for breach of their data privacy rights. The Ombudsman who would nominally be able to hear such claims has no real power to implement the self-regulatory rules under the Privacy Shield.
The FDPIC also clarifies that neither the often-used Standard Contractual Clauses ("SCC") nor Binding Corporate Rules ("BCR") are capable of preventing access to personal data by foreign authorities if the law of the importing country allows officials to access such data without sufficient transparency and legal protection for data subjects. According to the FDPIC, this not only applies to the USA. An assessment must be made for every country that does not provide an adequate level of data protection. This is a very unfortunate decision by the FDPIC for Swiss businesses.
The position paper does try to offer some practical advice for businesses transferring personal data countries with an inadequate level of data protection such as the USA. In particular, the guidance suggests:
- The data exporter must always carry out a case-by-case assessment with due care and diligence.
- When using contractual guarantees (e.g. SCCs and BCRs) for a data transfer, the data exporter must carry out a risk assessment to check that the contractual guarantees cover the risks existing in the third country, such as access to the data by government surveillance operations without the possibility of legal recourse for the data subject. If this is not the case, the contractual guarantees need to be amended to address these risks. (Note: the European Commission has already indicated that it will publish amended SCCs by the end of this year.)
- If contractual guarantees cannot provide an adequate level of data protection, the data exporter must consider technical measures that prevent the authorities in the country of the data importer from accessing such personal data. For example, when using a cloud provider in a country that does not provide an adequate level of data protection, encryption technology may be used as a technical measure provided it is implemented on the basis of the principle of bring-your-own-key or bring-your-own-encryption, meaning that the data importer cannot decode the data at all. If that is not possible, according to the FDPIC transfers of personal data to countries with an inadequate level of protection should be stopped altogether.
This decision poses major hurdles for internationally active businesses as it drastically limits the possibilities to transfer personal data abroad in a legally compliant way. The practical advice offered by the FDPIC so far does not provide any real assistance to businesses trying to act in compliance with the law. In its position paper, the FDPIC promises further guidance for data exporting businesses, and it can only be hoped that this further guidance, when it comes, will take into consideration the need for businesses to transfer data without too many administrative and technical burdens.
The position paper of the FDPIC is available here. Please reach out to us if you would like to discuss this further. We would be happy to talk with you about the impact of the FDPIC's decision on your business and suitable solutions for your international data transfers.
Stay on top of the latest legal topics and subscribe to our blog here:
Photocredit: iStock / Arkadiusz Warguła