Data transfers to the U.S. under the Privacy Shield frameworks

Companies in the European Union (EU) and European Economic Area (EEA) are generally restricted under the EU General Data Protection Regulation (GDPR) from transferring personal data of natural persons (for example data relating to customers or employees) to Non-EU/EEA countries unless specific safeguards are in place. In particular, transfers of personal data to the U.S. have so far been permitted if the importing U.S. company is certified under the so-called EU-U.S. Privacy Shield framework, based on a decision taken by the European Commission in July 2016.

A nearly identical mechanism exists for Swiss companies: Whilst the Swiss Data Protection Act (DPA) generally restricts transfers of personal data to certain foreign jurisdictions including the U.S., data transfers to U.S. based companies certified under the Swiss-U.S. Privacy Shield framework have been permitted since April 2017. According to the Federal Data Protection and Information Commissioner (FDPIC), more than 3'300 U.S. companies have been licensed under the framework to date, including corporations such as Facebook, Amazon and Google.
 

CJEU ruling in respect of the EU-U.S. Privacy Shield framework

On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the European Commission's decision regarding the EU-U.S. Privacy Shield framework was invalid ("Schrems II" ruling). The ruling was handed down in the context of a lawsuit brought by Maximillian Schrems against Facebook Ireland and is, inter alia, based on the argument that the framework would not sufficiently protect the data of EU individuals against access by US authorities.

It is uncertain whether, as a result of the Schrems II ruling, the EU-U.S. Privacy Shield framework will be replaced by another mechanism in the near future, given that already the preceding EU-U.S. Safe Harbor framework had been invalidated by the CJEU back in 2015 ("Schrems I" ruling).

Consequently, EU-based companies will likely need to rely on other safeguards for ongoing and future data transfers to the U.S., such as the so-called EU Standard Contracts (whose validity has generally been confirmed by the Schrems II ruling).

Impact on Swiss companies

Switzerland is not directly impacted by the Schrems II ruling, given that it is not party to the EU-U.S. Privacy Shield framework and that the CJEU's decision striking down the EU-U.S. Privacy Shield framework does not invalidate the Swiss-U.S. Privacy Shield framework. So far, the FDPIC has published a short statement that the Schrems II ruling is not directly applicable to Switzerland. The competence to formally terminate the Swiss-U.S. Privacy Shield framework lies with the Swiss Federal Council.

However, based on the FDPIC's earlier activities undertaken in the context of the Schrems I ruling, it cannot be ruled out that the FDPIC may now conclude that – considering the Schrems II ruling – the Swiss-U.S. Privacy Shield framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S. That said, such finding by the FDPIC would not be legally binding since the adequacy of foreign data protection legislations will ultimately be decided by Swiss courts rather than the FDPIC.

With this in mind, Swiss companies having transferred or planning to transfer personal data to the U.S. under the Privacy Shield framework should consider the following:
 

• To the extent that Swiss companies have so far been relying on the Swiss-U.S. Privacy Shield framework for personal data transfers to U.S. companies, there is no immediate need to switch to alternatives in respect of ongoing transfers.
• For upcoming data transfers, however, it is advisable to consider alternative safeguards, such as standard contractual clauses acknowledged by the FDPIC or obtaining the affected individuals' consent, in view of a possibly negative decision by the Federal Council in the future.
• The developments with regard to such future decision by the Federal Council should be closely monitored.
• Swiss companies falling within the territorial scope of the GDPR – e.g. because they offer goods or services to data subjects in the EU or process personal data on behalf of EU based data controllers – should seek alternative mechanisms (such as the EU Standard Contracts, adapted to Swiss requirements) if personal data of EU based individuals is transferred to companies in the U.S. based on the now invalidated EU-U.S. Privacy Shield framework.