Based on the groundbreaking Schrems II decision, the FDPIC concludes that the Privacy Shield CH – USA does not provide an adequate level of data protection. So, what are the challenges for companies transferring personal data to the US? Read more in our article.
However, the ECJ has emphasized that not every transfer to third countries can be secured with the standard contractual clauses. Rather, these clauses are considered to only provide effective protection if both the data exporter and the recipient in the third country ensure that their provisions can be complied with. If, on the other hand, the standard contractual clauses cannot be complied with, the parties involved must provide other appropriate safeguards or terminate the data transfer.
In the wake of the Schrems II decision, most companies within the EEA are likely to use the standard contractual clauses, as they can be concluded relatively quickly. However, interventions by American security authorities cannot be consistently prevented using the standard contractual clauses, since mandatory provisions of US law may prevail. Therefore, a company that transfers personal data to the USA may not comply with data protection laws solely by implementing the standard contractual clauses.
Unsurprisingly, the Federal Data Protection and Information Commissioner (FDPIC) announced in his public statement of 8 September 2020 that in light of the Schrems II decision he will update the listing of the USA.
The FCPIC's list of countries whose legislation guarantees adequate data protection (art. 6 para. 1 DPA) serves as a tool for Swiss data exporters by providing a general assessment of the current level of data protection in the countries listed. Admittedly, data transfers to the USA have not been possible without further ado in the past: There is also a Privacy Shield in Switzerland, enabling US companies to be certified as data protection-compliant contract partners guaranteeing adequate protection in accordance with art. 6 para. 1 FADP.
In his latest statement, the FDPIC assumes - with similar arguments as the ECJ in the Schrems II decision - that for data transfers to the USA, the adequate level of data protection required under art. 6 para. 1 FADP cannot be guaranteed solely by the Privacy Shield. Following the ECJ, the FDPIC rightly points out that contractual guarantees of an adequate level of protection, such as standard contractual clauses or ""Binding Corporate Rules"", are not able to prevent access to personal data by foreign authorities as long as the public law of the importing state prevails and allows access to the transferred personal data without effective legal protection being available to the persons concerned. This is the case both for the transfer of personal data to the USA and to numerous other non-listed countries.
First, it should be noted that the FDPIC has no authority to rescind the CH-US Privacy Shield. The classification of the respective countries into different data protection categories is only a so-called rebuttable presumption. The classification does not relieve data exporters from their obligation to examine the presumed level of protection if there are indications of data protection risks in a specific case and, if necessary, to implement protective measures in accordance with art. 6 para. 2 FADP. The currently not yet established case law of the Swiss courts is decisive in this regard.
In agreement with the FDPIC, we recommend that a careful examination of each individual case be carried out for future transfers of personal data to the USA or other non-listed countries:
a) In addition to the clauses: Implementation of technical measures.
The aim is to prevent access by authorities not legally, but factually. In the case of simple data storage in a cloud operation, for example, encryption is conceivable, which is implemented according to the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no real data is available in the target country and the service provider has no possibility to access the data.
b) As an alternative or in addition to the clauses: obtaining the explicit consent of each data subject.
It should be noted that strict conditions apply to valid consent:
We will stay alert and inform you about further developments whenever necessary. The MME data protection team looks forward to continuing to guide innovative companies through the constantly expanding maze of data protection stumbling blocks.