From a Swiss perspective, the USA has an adequate level of data protection
Since the new Swiss data protection law came into force on September 1, 2023, personal data may be transferred abroad without additional guarantees if the recipient country has an adequate level of data protection. The Federal Council determines which countries meet this requirement and publishes this in a binding list in Annex 1 of the Data Protection Ordinance.
Swiss-U.S. Data Privacy Framework (Swiss-US-DPF)
As the Federal Council informs in a press release, personal data can in future be transferred to certified companies in the USA without additional data protection guarantees. According to Art. 16 para. 1 FADP, personal data may only be transferred from Switzerland to the USA if adequate protection is provided. The Federal Council has now established this. The EU had already adopted an adequacy decision on the transfer of personal data to the USA in July. With the Federal Council's decision, Switzerland is now following suit.
Data transfer to the USA will now be much easier for companies, as the consent requirement for foreign data transfer to the USA stipulated by the FADP no longer applies, at least when dealing with certified US companies. The Federal Council's adequacy decision will apply from September 15, 2024, meaning that data can be transferred to such companies without the need for consent from this date.
Lawyer and IT law specialist Sven Kohlmeier sees this as a positive development: "I welcome the fact that the Federal Council has now taken this long-overdue decision. This makes data transfer much easier and more business-friendly for companies and is in line with EU practice."
Certified companies and Schrems III
The Federal Council's decision comes in response to the data protection framework between Switzerland and the USA, the Swiss-U.S. Data Privacy Framework (DPF). The Federal Office of Justice came to the conclusion that "certified companies" offer adequate protection for personal data under the DPF.
"Certified companies": The list of certified companies already exists (website:🔍https://lnkd.in/eTemt8dG) and these companies are already certified in accordance with the Swiss-US DPF (see photo). Anyone can check this list to see whether the US company is certified and therefore guarantees an adequate level of data protection in accordance with the Swiss DPA.
"Schrems III":
The lawyer and data protection activist Max Schrems, who is also Chairman of the Board of the non-governmental organization noyb (which stands for "none of your business"), has already brought two successful actions before the European Court of Justice (ECJ) against inadequate transatlantic data protection agreements. The two judgments are also known as Schrems I and Schrems II. Both essentially dealt with concerns about US surveillance practices and the lack of sufficient safeguards for personal data in the EU. The Schrems II ruling had far-reaching implications for companies that transfer personal data from the EU to the US (or other third countries). Such companies must now ensure that the data protection standards in the recipient countries meet EU requirements, whereby a case-by-case assessment is necessary and standard contractual clauses are no longer accepted as a mechanism for international data transfers.
In light of the current adequacy decisions, the question arises as to whether and when Schrems will again file a complaint with the ECJ. The nyob website continues to criticize the fact that the fundamental problem with the new data protection framework is that the US government continues to only grant constitutional rights to US citizens. This means that personal data from the EU is still subject to mass surveillance by the US, even under the EU-US data protection framework.
Although the Swiss-USA-DPF would not be directly affected by a possible decision by the ECJ, a decision by the ECJ would presumably also have an impact on Switzerland due to the proximity of the Swiss DPA to the GDPR. However, it is likely to be several years before a decision is made... and until then, personal data can easily be passed on to certified companies based on the DPF.
Sven Kohlmeier firmly expects another lawsuit, a "Schrems III", by the data protection activist. Schrems himself says: "...now the Commission itself simply ignores the Court of Justice for the third time." The organization noyb.eu will therefore also take action against the current EU-US DPF (🔍 https://lnkd.in/ea9wsbQ9). The data protection marmot routinely greets us.
Swiss-U.S. Data Privacy Framework (Swiss-US-DPF)
Companies that transfer personal data from Switzerland to the USA may now be able to adapt their dealings with the customers or users from whom they transfer data. The following points should be noted:
1. if you have obtained consent for data transfer to the USA via your website, you may be able to remove this consent from September 15, 2024. This is no longer required for certified companies.
2. when transferring data to the USA, check whether the American company is certified. You can find the complete list of certified companies here: https: //www.dataprivacyframework.gov/list.
3. if necessary, adapt your privacy policy and refer to the appropriate level of data protection in the USA through the Swiss-US-Data-Privacy-Framework.
Sven Kohlmeier is available to advise and litigate on IT law issues, data protection and cross-border matters relating to the EU and Germany.