• news-banner

    Expert Insights

Available in other languages:

Data Protection / The Swiss-U.S. Data Privacy Framework: Adequacy Decision, Implications, and Caution

The Swiss-U.S. Data Privacy Framework signifies a pivotal milestone in the protection of personal data between Switzerland and the United States. As per the Federal Council's press release dated August 14, 2024, this new legal framework will enable the transfer of personal data to certified U.S. companies without the need for additional safeguards, such as the execution of standard contractual clauses (SCCs). The Federal Office of Justice has determined that the data protection measures and safeguards provided by the certified American companies are adequate, and the Federal Council has added the United States to the list of states ensuring an adequate level of data protection.

This decision was anticipated following the European Commission's adoption of a similar adequacy decision on July 10, 2023, which acknowledged that the United States ensures a level of personal data protection equivalent to that of the European Union.

This development will have significant repercussions, particularly on the use of web analytics systems and cloud services by Swiss companies. With the appropriate certification of American companies under the Swiss-U.S. Data Privacy Framework, personal data can be processed by services such as those offered by cloud and web analytics providers, without the previously imposed restrictions that required additional guarantees. However, it is incumbent upon Swiss companies to verify that the providers of these services are duly certified in accordance with the Swiss-U.S. Data Privacy Framework, which is the case for the most well-known and used in the field, such as Google, Amazon, or Microsoft.

It is advisable to approach this development with a degree of caution, taking into account past European experiences with data transfers to the United States. The Schrems I and Schrems II rulings by the Court of Justice of the European Union (CJEU) have demonstrated the complexity and challenges associated with data protection adequacy outside the European Economic Area. In the Schrems I case (2015), the CJEU invalidated the Safe Harbour, while in Schrems II (July 2020), it invalidated the Privacy Shield, questioning the adequacy of protections offered by the United States in terms of government surveillance and access to European citizens' data.

These decisions underscore the importance of vigilance and ongoing assessment of data protection frameworks by the relevant authorities. Swiss companies must remain alert to legal developments and potential implications of CJEU decisions or other jurisdictions that could affect the validity of the Swiss-U.S. Data Privacy Framework, knowing that the European adequacy decision is currently under the scrutiny of the CJEU.

In this context, it is essential that mechanisms for redress and protections against U.S. government access to data are not only formally established, as is the case in the new regulation, but also effective in practice.

The amendment to the Data Protection Ordinance will come into effect on September 15, 2024. From this date, Swiss companies, as well as individuals, will be able to transfer personal data to certified U.S. companies without having to implement specific safeguards. The currently certified American companies are listed here.

For data transfers to non-certified U.S. companies, safeguards such as standard contractual clauses and impact assessments of the transfers will remain necessary. We also recommend retaining as a fallback all the pre-existing safeguards put in place for certified American companies, given the historical uncertainty regarding the maintenance of adequacy decisions for the USA.

In conclusion, while the Swiss-U.S. Data Privacy Framework represents a significant advancement for data transfers between Switzerland and the United States, it is imperative to remain cognizant of the lessons learned from the Schrems cases and to maintain rigorous regulatory oversight to ensure that the rights of companies and individuals are fully protected in practice.

Our thinking

  • Understanding APP Fraud: Legal Strategies & Protection

    Caroline Greenwell

    Insights

  • Charles Russell Speechlys advises the University of Strathclyde on the incorporation and establishment of its Bahrain Campus

    Gareth Mills

    News

  • Claudine Morgan and Mary Barrett write for New Law Journal on liability for costs on discontinuation

    Claudine Morgan

    In the Press

  • CDR Magazine quotes Alim Khamis on Qatar’s new ‘Enforcement Law No. 4 of 2024’

    Alim Khamis FCIArb

    In the Press

  • Relocating to Switzerland: Swiss tax residency

    Grégoire Uldry

    Insights

  • Advancing Digital Property Rights: Thoughts for your Digital Estate

    George Bull

    Quick Reads

  • Semiconductor Industry: Commercial & IP Considerations

    Rebecca Steer

    Insights

  • Martyn’s Law / the Protect Duty: new Bill published

    Rory Partridge

    Insights

  • The Banker quotes Victoria Younghusband on the appointment of Bettina Orlopp as Commerzbank's new CEO

    Victoria Younghusband

    In the Press

  • Swiss estates: would a 50% tax on the super-rich be appropriate?

    Alexia Egger Castillo

    Quick Reads

  • Safeguarding Data Privacy: Saudi Arabia's New Rules for Personal Data Protection Officers

    Mark Hill

    Quick Reads

  • Law 360 quotes Caroline Greenwell on the UK’s APP fraud reimbursement plan

    Caroline Greenwell

    In the Press

  • Arbitration in UAE and Saudi – where are we now?

    Peter Smith

    Insights

  • Charles Russell Speechlys advises Mainsail Partners in its $63 million growth equity investment in MirrorWeb

    Daniel Rosenberg

    News

  • Dubai Court Rules on Liability of Telecom Providers in Cases of Bank Fraud

    Ghassan El Daye

    Insights

  • Saudi Arabia publishes new foreign investment law

    Peter Smith

    Insights

  • Emergency Arbitrations – what they are and when to use them

    Alim Khamis FCIArb

    Insights

  • Charles Russell Speechlys hosts its second International Arbitration Conference in London

    Gareth Mills

    Quick Reads

  • Caroline Greenwell and Bella Henry write for FT Adviser on the SFO’s annual report

    Caroline Greenwell

    In the Press

  • AP News and over 170 US outlets quote Gareth Mills on the Google EU monopoly ruling

    Gareth Mills

    In the Press

Back to top