CJEU ruling on Privacy Shield – impact on Swiss companies


On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-U.S. Privacy Shield (permitting personal data transfers to the U.S.) was invalid. Although Switzerland has its own Privacy Shield framework with the U.S., the CJEU's ruling may impact Swiss companies. However, there is generally no reason to panic. Swiss companies should nevertheless consider certain cautionary measures.

Data transfers to the U.S. under the Privacy Shield frameworks

Companies in the European Union (EU) and European Economic Area (EEA) are generally restricted under the EU General Data Protection Regulation (GDPR) from transferring personal data of natural persons (for example data relating to customers or employees) to Non-EU/EEA countries unless specific safeguards are in place. In particular, transfers of personal data to the U.S. have so far been permitted if the importing U.S. company is certified under the so-called EU-U.S. Privacy Shield framework, based on a decision taken by the European Commission in July 2016.

A nearly identical mechanism exists for Swiss companies: Whilst the Swiss Data Protection Act (DPA) generally restricts transfers of personal data to certain foreign jurisdictions including the U.S., data transfers to U.S. based companies certified under the Swiss-U.S. Privacy Shield framework have been permitted since April 2017. According to the Federal Data Protection and Information Commissioner (FDPIC), more than 3'300 U.S. companies have been licensed under the framework to date, including corporations such as Facebook, Amazon and Google.

CJEU ruling in respect of the EU-U.S. Privacy Shield framework

On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that the European Commission's decision regarding the EU-U.S. Privacy Shield framework was invalid ("Schrems II" ruling). The ruling was handed down in the context of a lawsuit brought by Maximillian Schrems against Facebook Ireland and is, inter alia, based on the argument that the framework would not sufficiently protect the data of EU individuals against access by US authorities.

It is uncertain whether, as a result of the Schrems II ruling, the EU-U.S. Privacy Shield framework will be replaced by another mechanism in the near future, given that already the preceding EU-U.S. Safe Harbor framework had been invalidated by the CJEU back in 2015 ("Schrems I" ruling).

Consequently, EU-based companies will likely need to rely on other safeguards for ongoing and future data transfers to the U.S., such as the so-called EU Standard Contracts (whose validity has generally been confirmed by the Schrems II ruling).

Impact on Swiss companies

Switzerland is not directly impacted by the Schrems II ruling, given that it is not party to the EU-U.S. Privacy Shield framework and that the CJEU's decision striking down the EU-U.S. Privacy Shield framework does not invalidate the Swiss-U.S. Privacy Shield framework. So far, the FDPIC has published a short statement that the Schrems II ruling is not directly applicable to Switzerland. The competence to formally terminate the Swiss-U.S. Privacy Shield framework lies with the Swiss Federal Council.

However, based on the FDPIC's earlier activities undertaken in the context of the Schrems I ruling, it cannot be ruled out that the FDPIC may now conclude that – considering the Schrems II ruling – the Swiss-U.S. Privacy Shield framework does not provide an adequate level of protection for data transfers from Switzerland to the U.S. That said, such finding by the FDPIC would not be legally binding since the adequacy of foreign data protection legislations will ultimately be decided by Swiss courts rather than the FDPIC.

With this in mind, Swiss companies having transferred or planning to transfer personal data to the U.S. under the Privacy Shield framework should consider the following:

  • To the extent that Swiss companies have so far been relying on the Swiss-U.S. Privacy Shield framework for personal data transfers to U.S. companies, there is no immediate need to switch to alternatives in respect of ongoing transfers.
  • For upcoming data transfers, however, it is advisable to consider alternative safeguards, such as standard contractual clauses acknowledged by the FDPIC or obtaining the affected individuals' consent, in view of a possibly negative decision by the Federal Council in the future.
  • The developments with regard to such future decision by the Federal Council should be closely monitored.
  • Swiss companies falling within the territorial scope of the GDPR – e.g. because they offer goods or services to data subjects in the EU or process personal data on behalf of EU based data controllers – should seek alternative mechanisms (such as the EU Standard Contracts, adapted to Swiss requirements) if personal data of EU based individuals is transferred to companies in the U.S. based on the now invalidated EU-U.S. Privacy Shield framework.

Subscribe to our Updates

*Required fields

Monthly selected key topics from our practice areas and sectors, plus Newsflashes on current events.
Monthly email with the latest updates on and summaries of the Swiss Federal Supreme Court's case law in arbitration matters.
A regular look (1 – 2 per year) from a unique M&A perspective on legal changes, economic developments and societal trends in Switzerland.
Regular insights on Swiss and international trends and legal developments in the construction industry.
Concise analyses of key trends in the fast moving world of corporate governance for the boards of Swiss companies.