On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced that it no longer considers the Swiss-U.S. Privacy Shield (Swiss Shield) to provide adequate protections for transfers of Swiss personal data to the U.S. This development was anticipated following the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (CJEU) on July 16, 2020 in Schrems II (addressed in our previous alert here). The CJEU’s decision is not binding on Switzerland because Switzerland is not a member of the European Union (EU).
In its annual assessment of the Swiss Shield, the FDPIC concluded that the shortcomings identified by the CJEU in the Schrems II decision applied to the Swiss Shield. While the FDPIC’s assessment is subject to appeal to the Swiss courts, companies should assess the impact of the FDPIC’s position on their current or contemplated transfers made pursuant to the Swiss Shield.
There is currently no grace period for identifying suitable alternatives to the Swiss Shield. Therefore, companies that are certified to the Swiss Shield (or that rely on their processors’ certification) will need to implement alternative transfer mechanisms for Swiss-U.S. data transfers. These mechanisms include (i) EU Standard Contractual Clauses, which are frequently used in Switzerland and are still considered valid by the FDPIC, or (ii) Binding Corporate Rules approved by the FDPIC or other competent data protection authorities.
Following similar guidance issued by EU data protection authorities in the wake of the CJEU decision invaliding the EU-U.S. Privacy Shield, the FDPIC has provided specific recommendations for companies engaging in transfers of Swiss personal data to non-adequate countries, including the U.S.:
- Conducting a risk assessment to consider if personal data is adequately protected in the U.S. This requirement appears to place a burden on some companies that may not be in a position to sufficiently evaluate whether and to what extent personal data they process is at risk of being accessed by U.S. law enforcement or intelligence authorities. Nonetheless, the assessment should consider existing limitations on U.S. government access to personal data–including whether there is a designated, experienced individual or unit responsible for reviewing the requests to ensure, for example, that the requests are narrowly tailored, seek data relating to an ongoing investigation and whether the requests should be served on a controller (if served on a processor). Companies should generally comply with data minimization principles in the first instance to limit personal data they hold that could be accessible by U.S. authorities.
- Implementing additional measures where the risk assessment indicates that personal data is not adequately protected in the U.S. The FDPIC expressly recommends implementing technical measures that prevent government authorities from accessing the transferred personal data, such as encryption (this measure has also been recommended by some EU authorities, e.g., Germany, pending further guidance on this point by the European Data Protection Board).
- If additional protective measures cannot be implemented, the FDPIC recommends refraining from transferring Swiss personal data to the concerned countries.
Despite the FDPIC’s announcement, businesses certified to the Swiss Shield must continue complying with their obligations under the framework for as long as the certification is active. As with the EU-U.S. Privacy Shield, the U.S. Department of Commerce (DOC) will continue to administer the Swiss Shield framework and maintain the current Swiss Shield list.
We expect the Swiss government and the DOC to start discussions to evaluate an enhanced Swiss Shield, similar to the just-initiated discussions between the European Commission and the DOC in relation to the EU-U.S. Privacy Shield. Both processes are expected to face obstacles and a near-term fix does not appear to be in sight.
We will continue to keep you apprised of further developments. The European Data Protection Board recently announced the creation of a taskforce devoted to the development of guidance for businesses engaging in cross border data transfers that could be useful for companies that are certified to the Swiss Shield. We would expect such guidance to include specificity on additional safeguards that companies can implement to ensure adequate protection when transferring Swiss data in particular, and EU data in general, to the U.S. and other countries that are not considered to have adequate legal frameworks for protecting personal data.
Goodwin’s top ranked Data, Privacy and Cybersecurity practice offers a multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.