News

11.07.2024

Swiss-US Data Privacy Framework: Slowly But Steady?

Despite ongoing efforts to align with EU data protection standards, the Swiss-U.S. Privacy Framework remains a work in progress, leaving Swiss controllers with legal uncertainty and the burden of additional compliance measures when transferring data to the US.

Context and Development

On July 10, 2023, the EU Commission issued its adequacy decision for the EU-U.S. Data Privacy Framework. The decision confirms that, under the new framework, the United States provides an adequate data protection level, comparable to the standards in the European Union. This means that personal data can be transferred from the EU to U.S. companies participating in the framework without additional privacy safeguards.

On the same day that the EU Commission published its adequacy decision, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced that Switzerland has taken note of the EU adequacy decision and is also engaged in discussions on a parallel framework, which are well advanced. In addition to adopting the Swiss-U.S. Privacy Framework, the Federal Council would have to amend Annex 1 of the Data Protection Ordinance (DPO), which contains a list of countries with an adequate level of data protection.

However, to date, there has been no official announcement regarding developments in the Swiss-U.S. data protection adequacy.

 

Consequences of the consequences of the non-existent Swiss adequacy decision

As a result of this lengthy process, Switzerland still considers the U.S. to have an inadequate level of data protection. This means that data controllers must assess each data transfer to the US on a case-by-case basis (e.g., by conducting a Data Transfer Impact Assessment) and implement additional organizational and technical measures to ensure adequate protection of the personal data transferred. This process is labor-intensive and involves a high degree of legal uncertainty, as the controller has no guarantee that the measures taken are sufficient. The consequences of an unlawful data transfer can include criminal fines of up to CHF 250,000 for the individual responsible for the data processing within the controller’s organisation (Art. 61 FADP).

Despite the current unsatisfactory legal situation, there have been no significant enforcement actions or fines in Switzerland regarding data transfers to the US. This suggests a relatively low risk of immediate consequences, which may explain the lack of criticism of the lengthy process of concluding the Swiss-US Privacy Framework.

 

Guidelines for verifying the permissibility of international data transfers

The FDPC has published guidelines to help ensure compliance with Swiss data protection laws when personal data is transferred abroad. The key takeaways are outlined below:

Check Annex 1 of the DPO: Confirm that the receiving country offers an adequate level of data protection. For the countries listed in Annex 1 of the DPO, an adequate level of protection is presumed; for other countries, the controller may assess adequacy at its own risk.

SCCs: If the country lacks adequate protection, include data protection clauses in the contract with the data recipient. These must be pre-approved by the FDPIC. The FDPIC has approved the EU Standard Contractual Clauses (SCCs), but has published guidelines on how the EU SCCs must be amended to comply with Swiss data protection law.

Detailed Documentation: Maintain comprehensive records of the data transfer, including the nature, purpose, data categories, and involved third parties.

Four Key Guarantees - Ensure the third country provides:

  1. Legality: Clear rules for data access by authorities.
  2. Proportionality: Appropriate measures for regulatory objectives.
  3. Effective Remedies: Legal remedies for privacy rights.
  4. Judicial Oversight: Independent judicial oversight.

Additional Measures: Implement technical and organizational measures, such as encryption, to safeguard data when guarantees are insufficient.

Regular Review: Periodically review the third country’s conditions to ensure continued compliance. Suspend or terminate transfers if adequate protection is not maintained.

 

Conclusion

The Swiss-U.S. Privacy Framework remains incomplete, leaving Swiss companies in legal uncertainty when transferring personal data to the US. Without an adequacy decision, companies must conduct extensive assessments and implement extra measures to ensure data protection. Despite minimal enforcement actions so far, formalizing the framework is essential to streamline compliance and provide legal certainty. Until then, following FDPIC guidelines and using Standard Contractual Clauses are crucial for managing international data transfers.

 

Article provided by INPLP members: Lukas Bühlmann and Michael Reinle (MLL Legal LTD, Switzerland)

co-author: Max Königseder

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)