On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-U.S. Privacy Shield (permitting personal data transfers to the U.S.) was invalid. Although Switzerland has its own Privacy Shield framework with the U.S., the CJEU's ruling may impact Swiss companies. However, there is generally no reason to panic. Swiss companies should nevertheless consider certain cautionary measures.
Data transfers to the U.S. under the Privacy Shield frameworks
Companies in the European Union (EU) and European Economic Area (EEA) are generally restricted under the EU General Data Protection Regulation (GDPR) from transferring personal data of natural persons (for example data relating to customers or employees) to Non-EU/EEA countries unless specific safeguards are in place. In particular, transfers of personal data to the U.S. have so far been permitted if the importing U.S. company is certified under the so-called EU-U.S. Privacy Shield framework, based on a decision taken by the European Commission in July 2016.
A nearly identical mechanism exists for Swiss companies: Whilst the Swiss Data Protection Act (DPA) generally restricts transfers of personal data to certain foreign jurisdictions including the U.S., data transfers to U.S. based companies certified under the Swiss-U.S. Privacy Shield framework have been permitted since April 2017. According to the Federal Data Protection and Information Commissioner (FDPIC), more than 3'300 U.S. companies have been licensed under the framework to date, including corporations such as Facebook, Amazon and Google.
CJEU ruling in respect of the EU-U.S. Privacy Shield framework
On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the European Commission's decision regarding the EU-U.S. Privacy Shield framework was invalid ("Schrems II" ruling). The ruling was handed down in the context of a lawsuit brought by Maximillian Schrems against Facebook Ireland and is, inter alia, based on the argument that the framework would not sufficiently protect the data of EU individuals against access by US authorities.
It is uncertain whether, as a result of the Schrems II ruling, the EU-U.S. Privacy Shield framework will be replaced by another mechanism in the near future, given that already the preceding EU-U.S. Safe Harbor framework had been invalidated by the CJEU back in 2015 ("Schrems I" ruling).
Consequently, EU-based companies will likely need to rely on other safeguards for ongoing and future data transfers to the U.S., such as the so-called EU Standard Contracts (whose validity has generally been confirmed by the Schrems II ruling).
Impact on Swiss companies
Switzerland is not directly impacted by the Schrems II ruling, given that it is not party to the EU-U.S. Privacy Shield framework and that the CJEU's decision striking down the EU-U.S. Privacy Shield framework does not invalidate the Swiss-U.S. Privacy Shield framework. So far, the FDPIC has published a short statement that the Schrems II ruling is not directly applicable to Switzerland. The competence to formally terminate the Swiss-U.S. Privacy Shield framework lies with the Swiss Federal Council.
However, based on the FDPIC's earlier activities undertaken in the context of the Schrems I ruling, it cannot be ruled out that the FDPIC may now conclude that – considering the Schrems II ruling – the Swiss-U.S. Privacy Shield framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S. That said, such finding by the FDPIC would not be legally binding since the adequacy of foreign data protection legislations will ultimately be decided by Swiss courts rather than the FDPIC.
With this in mind, Swiss companies having transferred or planning to transfer personal data to the U.S. under the Privacy Shield framework should consider the following:
Copy linkLink copied
+41 44 215 3498
+41 44 215 3695
+41 44 215 3662
+41 44 215 9364