Following a reassessment of the Swiss-U.S. Privacy Shield framework, Adrian Lobsiger, the Federal Data Protection and Information Commissioner of Switzerland (Commissioner), has downgraded the U.S. ranking in terms of its data protection practices. The Commissioner concluded in his policy paper of September 8, 2020, that the Swiss-U.S. Privacy Shield, does not provide “adequate protection under certain circumstances.”
The Commissioner acknowledged that Swiss-U.S. Privacy Shield participants “grant special protection rights to persons in Switzerland,” however, such “rights do not meet the requirements of adequate data protection as defined by FADP.” Under the Federal Act on Data Protection (FADP), Swiss citizens have the right to assert their rights concerning their personal data. The Commissioner’s paramount concern is “the mass collection of non-U.S. citizens’ data for the purposes of anti-terrorism measures and national security.” In the Commissioner’s judgement, Swiss citizens do not have “enforceable legal remedy with regard to the data access by U.S. authorities” because of a clear lack of procedure and transparency on the part of the U.S. government.
Although the Commissioner’s assessment is not legally binding, his conclusions are in line with the recent Schrems II ruling from the Court of Justice of the European Union which rendered the EU-U.S. Privacy Shield invalid. While Switzerland is not a member of the EU, Swiss data privacy policies often mirror those of other European countries.
The Commissioner indicated that he plans to provide further information on the “data-protection-compatible export of personal data to the U.S. and other non-listed third countries in due course,” as relevant decisions by Swiss courts or statements by the European Data Protection Board become available. In the meantime, the Commissioner recommended that Swiss data exporters consider each potential personal data transfer with due diligence, including if necessary: (a) expanding Standard Contractual Clauses; (b) eliminating clauses concerning the recipient’s obligation to cooperate with local authorities; and (c) considering technical measures to prevent access by foreign authorities.
For more articles and alerts on this or other significant data protection laws and developments, follow the Fey LLC LinkedIn page here.
Keith Geekie, an information analyst with Fey LLC, contributed to this post.