First, what do Swiss companies have to do now?
- Check whether your company transfers personal data to the USA based on the Swiss-US Privacy Shield. A list of providers who ( at least partially) rely on the Swiss-US Privacy Shield can be found here: Privacy Shield list (with button Advanced, filter “Program” set to Swiss-US) A good starting point may also be your own privacy policy, which often informs about the use of the Swiss-US Privacy Shield.
- If such transmissions take place, check whether you can mitigate the existing data protection risks with contractual guarantees instead (more on this below).
- If this is not possible, consider solutions that effectively prevent access (e.g. encryption), suspend data transmission (more on this below), switch to a European provider or – in the case of smaller data sets or data sets that are yet to be established – obtain the consent of all those concerned.
Background:
Anyone wishing to transfer personal data abroad must first consider the data protection implications. A simple transfer without further measures is only permitted to those countries that provide an adequate level of data protection. In the absence of appropriate legislation, further measures must be taken, such as standard contractual clauses. In Switzerland, the list of states maintained by the Federal Data Protection and Information Commissioner (FDPIC) provides information on which countries have an adequate level of data protection.
The USA is probably the best-known nation that does not have an adequate level of data protection. This is why both the EU and Switzerland had negotiated frameworks with the USA, the so-called EU-US or Swiss-US Privacy Shield. According to this framework, US companies were able to self-certify and subject themselves to certain data protection rules and processes. In return, the EU and Switzerland treated the transfer of personal data to such companies as if the recipient was in a country with an adequate level of data protection.
The European Court of Justice declared the EU-US Privacy Shield invalid in its ruling of 16 July 2020 (see our previous blog post). The Swiss equivalent remained formally unaffected by this, as decisions of the European Court of Justice are not binding for Switzerland.
In today’s media release, the FDPIC has now announced that in his opinion, the Swiss-US Privacy Shield also no longer offers adequate protection. As a consequence, he has updated the list of states. Even US companies certified according to Swiss-US Privacy Shield no longer offer adequate data protection, which is why transmission to them is only permitted under Swiss data protection law if the protection of personal data is ensured by other measures.
The FDPIC proposes a three-part review process for the transfer of personal data to the USA or other countries which do not have an adequate level of data protection, based on contractual guarantees:
- Risk assessment
Firstly, a risk assessment should be conducted to determine whether the existing data protection risks can be covered by standard contractual clauses, possibly with amendments. - Position of the recipient
Secondly, it should be checked whether the recipient of the data is subject to special access by local authorities (such as US mass surveillance laws) and whether he is in a position to provide the contractual cooperation required for the protection of personal data. - Protection through technical measures
If the risk of access by the authorities cannot be mitigated due to the position of the recipient, technical measures should be taken to effectively prevent access, such as BYOK (bring your own key, i.e. the recipient does not have the necessary key to decrypt the data) solutions.
For many cloud services, however, BYOK is technically difficult to implement or is usually not even offered. In such cases, the FDPIC recommends not transferring personal data based on contractual guarantees.
Under Swiss data protection legislation, both the current and the draft of the new data protection law allow for the possibility of transferring personal data with the express consent of the data subject. If this solution is chosen, special attention should be paid to informing the data subjects in detail, otherwise the consent could be invalid.