Data Protection / The Swiss-U.S. Data Privacy Framework: Adequacy Decision, Implications, and Caution
The Swiss-U.S. Data Privacy Framework signifies a pivotal milestone in the protection of personal data between Switzerland and the United States. As per the Federal Council's press release dated August 14, 2024, this new legal framework will enable the transfer of personal data to certified U.S. companies without the need for additional safeguards, such as the execution of standard contractual clauses (SCCs). The Federal Office of Justice has determined that the data protection measures and safeguards provided by the certified American companies are adequate, and the Federal Council has added the United States to the list of states ensuring an adequate level of data protection.
This decision was anticipated following the European Commission's adoption of a similar adequacy decision on July 10, 2023, which acknowledged that the United States ensures a level of personal data protection equivalent to that of the European Union.
This development will have significant repercussions, particularly on the use of web analytics systems and cloud services by Swiss companies. With the appropriate certification of American companies under the Swiss-U.S. Data Privacy Framework, personal data can be processed by services such as those offered by cloud and web analytics providers, without the previously imposed restrictions that required additional guarantees. However, it is incumbent upon Swiss companies to verify that the providers of these services are duly certified in accordance with the Swiss-U.S. Data Privacy Framework, which is the case for the most well-known and used in the field, such as Google, Amazon, or Microsoft.
It is advisable to approach this development with a degree of caution, taking into account past European experiences with data transfers to the United States. The Schrems I and Schrems II rulings by the Court of Justice of the European Union (CJEU) have demonstrated the complexity and challenges associated with data protection adequacy outside the European Economic Area. In the Schrems I case (2015), the CJEU invalidated the Safe Harbour, while in Schrems II (July 2020), it invalidated the Privacy Shield, questioning the adequacy of protections offered by the United States in terms of government surveillance and access to European citizens' data.
These decisions underscore the importance of vigilance and ongoing assessment of data protection frameworks by the relevant authorities. Swiss companies must remain alert to legal developments and potential implications of CJEU decisions or other jurisdictions that could affect the validity of the Swiss-U.S. Data Privacy Framework, knowing that the European adequacy decision is currently under the scrutiny of the CJEU.
In this context, it is essential that mechanisms for redress and protections against U.S. government access to data are not only formally established, as is the case in the new regulation, but also effective in practice.
The amendment to the Data Protection Ordinance will come into effect on September 15, 2024. From this date, Swiss companies, as well as individuals, will be able to transfer personal data to certified U.S. companies without having to implement specific safeguards. The currently certified American companies are listed here.
For data transfers to non-certified U.S. companies, safeguards such as standard contractual clauses and impact assessments of the transfers will remain necessary. We also recommend retaining as a fallback all the pre-existing safeguards put in place for certified American companies, given the historical uncertainty regarding the maintenance of adequacy decisions for the USA.
In conclusion, while the Swiss-U.S. Data Privacy Framework represents a significant advancement for data transfers between Switzerland and the United States, it is imperative to remain cognizant of the lessons learned from the Schrems cases and to maintain rigorous regulatory oversight to ensure that the rights of companies and individuals are fully protected in practice.