On the heels of the Court of Justice of the European Union’s decision in Schrems II, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has determined that the U.S.-Swiss Privacy Shield does not meet the “requirements of adequate data protection as defined by the FADP (Swiss Federal Act on Data Protection).” It issued a policy paper offering advice on transferring data to countries not on its list of nations with adequate safeguards.
Key takeaways from FDPIC decision:
- The FDPIC agrees with most of the European Data Protect Board’s criticisms regarding access by U.S. authorities and deems the lack of transparency and the resulting absence of guarantees concerning the interference of U.S. authorities irreconcilable with Swiss data protection laws.
- When transferring data to non-listed countries, data exporters should conduct due diligence. If necessary, the clauses should be expanded.
- Exporters must consider whether the foreign recipient company is capable of providing the cooperation necessary for the enforcement of Swiss data protection principles.
- If not, exporters must consider technical measures that effectively prevent the service providers and authorities in the destination country from accessing the transferred personal data. (e.g. storage in a non-listed country + encryption with principles of BYOK (bring your own key) and BYOE (bring your own encryption).
- If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.