The Schrems II decision, issued on July 16, 2020, continues to impact the ability of organizations to transfer personal data from the European Economic Area to the United States. The effects of the decision are now felt in Switzerland as the Federal Data Protection and Information Commissioner (FDPIC) addressed the issue on September 8, 2020. The FDPIC determined that the Swiss-U.S. Privacy Shield, which is separate and distinct from the EU-U.S. Privacy Shield and was not directly addressed by the Schrems II decision, nonetheless fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.[1] The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and Swiss administration to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the U.S.[2] The FDPIC deleted the reference to ‘adequate data protection under certain conditions’ for the U.S. in the FDPIC’s list of countries providing adequate protection for data transfers out of Switzerland, which effectively invalidates the Swiss-U.S. Privacy Shield by rendering it useless on its own.[3] The FDPIC followed the reasoning of the Court of Justice of the European Union. This decision – though widely predicted – is significant, as the entirety of the U.S. Privacy Shield Framework has now been deemed invalid.[4] Similar to the Schrems II decision, the FDPIC further concluded that the SCCs may not provide adequate protection for transfers to the U.S. or other third countries.
The U.S. Department of Commerce has not yet released a formal statement regarding this development. However, on September 16, 2020, the U.S. Privacy Shield website updated its Frequently Asked Questions (FAQs) to include a statement that the FDPIC issued an opinion that the Framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S.[5] The FAQs suggest that organizations relying on the Swiss-U.S. Privacy Shield should seek guidance from the FDPIC or counsel.[6] Notably, the FAQs state that the FDPIC’s opinion does not relieve participants of their obligations if they are currently in the program. The FDPIC has not released any further guidance, but it is expected that the FDPIC will closely follow the actions of regulations in the European Union.
[1] Fed. Data Prot. & Info. Comm’r, Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection, https://www.newsd.admin.ch/newsd/message/attachments/62791.pdf (last visited Sept. 25, 2020).
[2] Privacy Shield Framework, Swiss-U.S. Privacy Shield FAQs, https://www.privacyshield.gov/swiss-us-privacy-shield-faqs (last visited Sept. 25, 2020).
[3] Fed. Data Prot. & Info. Comm’r, supra note 2.
[4] Privacy Shield Network, Privacy Shield Program Overview, https://www.privacyshield.gov/Program-Overview (last visited Sept. 25, 2020).
[5] Id.
[6] Id.