Switzerland’s DPA says the Swiss-US Privacy Shield is not adequate



Following the CJEU Schrems II decision on EU-US data transfers, Switzerland's Federal Data Protection and Information Commissioner (FDPIC) has assessed the Swiss-US Privacy Shield agreement as not offering an adequate level of protection for data transfers from Switzerland to the US.

The DPA offers Swiss companies the following guidance:

  1. The need to conduct a risk assessment.
  2. “It must also be considered whether the foreign recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the Standard Contractual Clauses (SCCs) concerning the obligation to cooperate are negated.”
  3. “In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.”

The DP Commission’s assessment of 8 September is subject to appeal to the Swiss courts.

See:

For more news and detailed analysis about data transfer issues, including under Brexit, read PL&B UK and International Reports.