EU issues adequacy decision for US data transfers
On July 10, 2023, the European Commission issued the adequacy decision for data transfers from the EU to the U.S., thereby endorsing the EU-U.S. Data Privacy Framework. This establishes, in accordance with Article 45 of the GDPR, that the U.S. has an adequate level of data protection. With the Schrems II ruling, the European Court of Justice had declared the previous Privacy Shield invalid in 2020. Data transfer to the USA therefore had to be based, among other things, either on standard contractual clauses (SCC) or on the consent of the data subjects, which could be revoked at any time. In particular, this was an elaborate procedure for many companies, businesses and public institutions that carry out data transfers to the USA, e.g. in the office or cloud area.
Implications for Switzerland
The decision of the European Court of Justice in the so-called Schrems II ruling was not directly applicable to Switzerland, as the decision only referred to the EU adequacy decision. Nevertheless, following the EUJC ruling, the Federal Data Protection and Information Commissioner (FDPIC) also determined that the U.S. did not provide a comparable level of data protection within the meaning of Article 6(2) of the FADP(Opinion of September 8 ,2020). In the FDPIC's list of countries, the USA was consequently marked with "insufficient protection". Therefore, Swiss companies also had to resort to standard contractual clauses or other guarantees in order to ensure an adequate level of data protection in accordance with the law.
If an adequate level of data protection exists for the foreign transfer, the risk of fines for foreign transfers pursuant to Art. 61 lit. a FADP is significantly reduced and an essential penalty provision of the FADP is mitigated, at least for data transfers to the USA.
When is the adequacy decision for Switzerland coming?
The European Commission's adequacy decision has no effect on Switzerland, as Switzerland is not a member state of the EU. The FDPIC could still process the state list of the adequate level of data protection until September 1, 2023. According to Art. 16 (1 ) of the new Swiss Data Protection Act(nDSG, valid from September 1 , 2023), the Federal Council is responsible for determining the adequate level of data protection. After the summer break, the Federal Council will meet weekly on Wednesdays from August 16, 2023, so that September 6, 2023 at the earliest can be considered as the date for a resolution by the Federal Council, as the Act will only apply from September 1, 2023 and the Federal Council will therefore only be responsible for a resolution from this date. Pursuant to Art. 8 (3) of the Data Protection Ordinance (DPA), the FDPIC must be consulted before a resolution is adopted. From a legal purist point of view, if a decision were taken in September 2023 , the transfer would have to be made as of September 1 , 2023 by means of standard contractual clauses and would only be allowed to be based on Art. 16 (1) nDSG once the Federal Council has determined the appropriate level of data protection.
If the adequate level of data protection is established for the U.S., which is to be assumed, Annex 1 of the data protection regulation will be supplemented by countries with an adequate level of data protection.
Outlook
Regardless of the welcome simplification of data transfers to the U.S., companies and public authorities still have the task of implementing and organizing them in accordance with data protection law. According to our assessment, it is to be expected that the current EU-U.S. Data Privacy Framework will also be reviewed by the ECJ. As early as March 2023, data protection activist Max Schrems, who has already twice brought down data transfers to the U.S. for lack of an adequate level of data protection, criticized the new agreement for not ensuring an equivalent level of data protection in the U.S.. The reason given for the rejection is that the interpretation of proportionality differs in the EU and the USA. In addition, there is only an Executive Order in the USA and no parliamentary law, which means that individual protection rights would be lacking. We believe that legal protection against access by U.S. security authorities to data stored in the U.S. remains inadequate and does not meet the requirements of Article 47 of the EU Charter of Fundamental Rights.
Practical advice for companies
Data transfer can also be based on standard contractual clauses (supplementary) in the future. This means that every company is on the safe side should the ECJ declare the current EU-U.S. Data Privacy Framework invalid.
Small businesses and SMEs that have not previously used standard contractual clauses can be confident that the determination of the appropriate level of data protection for the U.S. will be made.
The risk of a fine remains in the event of a breach of disclosure obligations, data processing by order processors without a contract or a breach of data security.
We recommend data protection regulations for every company, which set out standardized rules on data processing, the handling of requests for information and data security.
Boards of Directors and management are obligated to ensure compliance with legal requirements, including the DPA, as part of prudent business management.
The GDPR must still be observed when processing personal data of EU citizens.
Attorney at law and specialist attorney for IT law (DE) Sven Kohlmeier advises you on Swiss as well as European data protection law and the implementation of the new DPA.
Explanation and notes on the EU adequacy decision
You can download the text of the EU adequacy decision here
Further articles on the topic of data protection law
Fines in the new data protection law - up to CHF 250.00 possible for private person
Data protection law revision | Part 1: Overview of changes
Data Protection Law Review | Part 2: Practical Recommendations
Data protection law review | Part 3: Cyber attack - the right response counts