In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!). A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”
Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law. It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.
Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate. For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law. Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem. While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.
While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.
At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.