In a nutshell:
- The Court of Justice of the European Union in its decision of 16 July 2020 declared the EU-US Privacy Shield invalid. As a result, numerous transfers of personal data from companies in the EU to the USA are no longer data protection compliant.
- Switzerland has its own treaty, the Swiss-US Privacy Shield, which is essentially identical to that of the EU. In contrast to the EU, the Swiss-US Privacy Shield is currently still valid and in force. However, it can be expected that the Swiss-US Privacy Shield will soon be repealed or declared invalid as a result of the CJEU ruling.
- Swiss companies should therefore do the following:
- Check whether they transfer personal data to the USA based on the Swiss-US Privacy Shield. Ideally, this can be checked via one’ s own privacy policy, which is often available on one’ s own website.
- If yes: Implement other measures, such as entering into the EU Standard Contractual Clauses on data protection with the target company in the USA. Certain US service providers have already offered to conclude these on their own initiative before the decision of today. Alternatively, a switch to a provider in Switzerland/EU/EEA could be considered, or a contractual guarantee that data processing will only take place in this area.
The background:
Under the data protection laws of the EU (GDPR) and Switzerland, the transfer of personal data abroad (e.g. to subcontractors such as Salesforce or Mailchimp) is only permitted if the target country has an adequate level of data protection. If there is no adequate level of legal protection, additional measures must be implemented to protect the personal data. In the opinion of the EU and Switzerland, the USA does not have an adequate level of protection.
One possible measure in the case of the USA has so far been the (Swiss or EU)-US Privacy Shield certification of the subcontractor in the USA. The list of all certified providers can be found here: https://www.privacyshield.gov/list (set filter “Program” to “Swiss-US”).
Another possibility – and probably the most common besides the Privacy Shield – is to conclude the EU standard contract clauses on data protection. These can be accessed here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087
Many companies based in Switzerland or the EU have subcontractors based in the USA who process personal data on their behalf. This is particularly common with Software-as-a-Service (SaaS) offerings such as Mailchimp, Workday, Salesforce or other cloud services such as web hosting or Amazon Web Services.
Numerous Swiss companies have so far based their personal data transmission on the Swiss-US Privacy Shield. Formally this is still in force, but the Federal Data Protection and Information Commissioner (FDPIC), who is responsible for this in Switzerland, had already announced earlier that his assessment of the appropriateness of the Swiss-US Privacy Shield is dependent on the EU’s assessment of the EU-US Privacy Shield:
“In view of the fact that Switzerland and the EU mutually recognise the adequacy of their legal systems with regard to data protection, Switzerland affirms the adequacy of the Swiss-US Privacy Shield, provided that the EU recognises the adequacy of the EU-US Privacy Shield.”
– Translated extract from the report of the FDPIC on the second Swiss-US Privacy Shield Review (2019)
It can therefore be expected that the Swiss-US Privacy Shield will also be declared invalid or revoked in the near future.
Swiss companies that currently transfer personal data to the USA on the basis of the Swiss-US Privacy Shield should therefore implement other measures. In most cases, the focus will be on entering into the EU standard contract clauses. Alternatively, for some, switching to a European provider or guaranteeing data processing in Switzerland/EU/EEA could be an option.