The hits keep coming for the United States in the wake of the Court of Justice of the European Union’s (CJEU) ruling in July to scrap the EU-U.S. Privacy Shield.
On Tuesday, in reaction to that ruling, the Swiss Federal Data Protection and Information Commissioner (FDPIC), Adrian Lobsiger, shared his opinion that the Swiss-U.S. Privacy Shield, which largely mirrors the EU-U.S. program, “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).” Thus, the United States was moved from “adequate data protection under certain conditions” on the Swiss list to “level insufficient.”
The FDPIC’s ruling regarding the United States does not invalidate the Swiss-U.S. Privacy Shield, as Lobsiger does not have that authority. “The regime can be invoked by persons concerned in Switzerland as long as it is not revoked by the USA,” the FDPIC said in an accompanying policy paper.
Switzerland is not part of the European Union and therefore was not covered under the CJEU ruling. The General Data Protection Regulation also does not apply to Switzerland as a whole, instead only affecting Swiss companies that meet certain conditions. However, Swiss data legislation (the aforementioned FADP) is considered on par with the GDPR, and thus the FDPIC’s decision suggests Switzerland shares the same concerns as the CJEU that surveillance laws in the United States allow the government too much access to non-U.S. citizens data.
The United States had held its “adequate data protection under certain conditions” position on the Swiss list since January 2017, largely in part due to the assurances provided by the Privacy Shield regime. The Swiss-U.S. pact requires that certified U.S. businesses respect the principles of Swiss data protection legislation and includes guarantees by U.S. authorities in relation to access to transferred personal data, particularly pertaining to U.S. surveillance laws.
“[I]n view of the fact that Switzerland and the EU mutually recognise their data protection legislation as equivalent, the FDPIC agrees with most of the EDPB’s criticisms regarding access by US authorities, insofar as these can also be derived from Swiss data protection law,” the FDPIC stated in its policy paper.
“[T]he FDPIC noted in his review reports that persons concerned in Switzerland do not have sufficient enforceable legal rights in the US, especially since the effectiveness of the ombudsperson mechanism, which is intended to guarantee an indirectly enforceable legal remedy, cannot be assessed owing to lack of transparency. Furthermore, the FDPIC criticised the fact that, without sufficiently concrete and conclusive information, it is not clear that the ombudsperson has decision-making powers vis-à-vis the US intelligence services nor enjoys actual independence. Safeguards are therefore lacking, a situation which … is highly problematic for the enforcement of the rights of persons concerned in Switzerland.”
Like the European Union, Switzerland utilizes standard contractual clauses (SCCs) for data transfers with other countries. The FDPIC shares in the belief that SCCs “cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.” While the European Union is considering modernizing SCCs in the wake of the CJEU ruling, it is unclear whether Switzerland will do the same.
In his policy paper, the FDPIC notes several best practices for transferring data to non-listed countries, which the United States is now one of. This includes conducting a risk assessment on SCCs, understanding the non-listed country’s laws regarding special access by local authorities, and considering whether encryption and other technical efforts in the non-listed country are up to par.