10 September 2020

The Future of Transfer of Personal Data from the EU / Switzerland to the USA (and other third countries)

  • Articles
  • Legal
  • Data / Technology / IP

Based on the groundbreaking Schrems II decision, the FDPIC concludes that the Privacy Shield CH – USA does not provide an adequate level of data protection. So, what are the challenges for companies transferring personal data to the US? Read more in our article.

With the groundbreaking Schrems II ruling, the ECJ has overturned the US-EU Privacy Shield, whereas, in principle, the transfer of data to a non-European country (third country) may still be based on the so-called standard contractual clauses (we reported: The end of the EU-US Privacy Shield).

However, the ECJ has emphasized that not every transfer to third countries can be secured with the standard contractual clauses. Rather, these clauses are considered to only provide effective protection if both the data exporter and the recipient in the third country ensure that their provisions can be complied with. If, on the other hand, the standard contractual clauses cannot be complied with, the parties involved must provide other appropriate safeguards or terminate the data transfer.

In the wake of the Schrems II decision, most companies within the EEA are likely to use the standard contractual clauses, as they can be concluded relatively quickly. However, interventions by American security authorities cannot be consistently prevented using the standard contractual clauses, since mandatory provisions of US law may prevail. Therefore, a company that transfers personal data to the USA may not comply with data protection laws solely by implementing the standard contractual clauses.

 

The Situation in Switzerland

Unsurprisingly, the Federal Data Protection and Information Commissioner (FDPIC) announced in his public statement of 8 September 2020 that in light of the Schrems II decision he will update the listing of the USA.

The FCPIC's list of countries whose legislation guarantees adequate data protection (art. 6 para. 1 DPA) serves as a tool for Swiss data exporters by providing a general assessment of the current level of data protection in the countries listed. Admittedly, data transfers to the USA have not been possible without further ado in the past: There is also a Privacy Shield in Switzerland, enabling US companies to be certified as data protection-compliant contract partners guaranteeing adequate protection in accordance with art. 6 para. 1 FADP.

In his latest statement, the FDPIC assumes - with similar arguments as the ECJ in the Schrems II decision - that for data transfers to the USA, the adequate level of data protection required under art. 6 para. 1 FADP cannot be guaranteed solely by the Privacy Shield. Following the ECJ, the FDPIC rightly points out that contractual guarantees of an adequate level of protection, such as standard contractual clauses or ""Binding Corporate Rules"", are not able to prevent access to personal data by foreign authorities as long as the public law of the importing state prevails and allows access to the transferred personal data without effective legal protection being available to the persons concerned. This is the case both for the transfer of personal data to the USA and to numerous other non-listed countries.

 

What applies to Swiss companies?

First, it should be noted that the FDPIC has no authority to rescind the CH-US Privacy Shield. The classification of the respective countries into different data protection categories is only a so-called rebuttable presumption. The classification does not relieve data exporters from their obligation to examine the presumed level of protection if there are indications of data protection risks in a specific case and, if necessary, to implement protective measures in accordance with art. 6 para. 2 FADP. The currently not yet established case law of the Swiss courts is decisive in this regard.

In agreement with the FDPIC, we recommend that a careful examination of each individual case be carried out for future transfers of personal data to the USA or other non-listed countries:

  • If the disclosure of data is based on contractual guarantees such as the standard contractual clauses, a risk assessment should be carried out. It is up to the data exporter to verify whether the clauses cover the data protection risks existing in the non-listed state.
  • If necessary, the clauses must be complemented. It should be borne in mind, however, that if the public law of the importing country prevails (as is the case in the USA), such additions are also of limited effect.
  • If the data is supplied to a company in the non-listed country that is subject to special access by the local authorities, it must also be determined whether the foreign recipient party is capable of providing the cooperation necessary to enforce Swiss data protection principles. If this is not the case, the obligations to cooperate, as stipulated in the clauses, are of no use.
  • In case the transfer of data based on the standard contractual clauses appears problematic due to the above-mentioned reasons, we recommend the following procedures

a) In addition to the clauses: Implementation of technical measures. 

The aim is to prevent access by authorities not legally, but factually. In the case of simple data storage in a cloud operation, for example, encryption is conceivable, which is implemented according to the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no real data is available in the target country and the service provider has no possibility to access the data.

b) As an alternative or in addition to the clauses: obtaining the explicit consent of each data subject.

It should be noted that strict conditions apply to valid consent:

  • For Switzerland (art. 6 para. 2 lit. b FADP), consent must be obtained for each individual case after appropriate information has been provided.
  • Under EU law (art. 49 para. 1 lit. a GDPR) a valid consent requires that the individual has been informed of the lack of an adequate level of data protection in the corresponding third country as well as of the possible risks of a transfer of data due to the absence of an adequacy decision and appropriate safeguards.

We will stay alert and inform you about further developments whenever necessary. The MME data protection team looks forward to continuing to guide innovative companies through the constantly expanding maze of data protection stumbling blocks.