Yesterday, the Swiss data protection authority followed the EEA’s recent Schrems II judgment invalidating the Privacy Shield mechanism for transferring personal data to the United States.
To unpack this a bit, recall that although Switzerland is not part of the EEA, it has adopted data protection legislation largely reflecting the EEA’s GDPR. Under both the Swiss legislation and the GDPR, you can’t move data out of Switzerland or the EEA unless you’re moving it to a country that is recognized for adequately protecting personal data privacy, or you transfer it pursuant to contractual privacy safeguards such as the “model clauses/standard contractual clauses,” or you meet certain other enumerated conditions. The US doesn’t have a comparable privacy law, so it was never going to be recognized as a country offering adequate protections for privacy under the European privacy regimes—at least not across the board. But transferring data to the US is pretty important to the European economy, so both the EEA and Switzerland had negotiated “Privacy Shield” mechanisms with the US government as a way to qualify the US as offering adequate protection at least under certain circumstances. Companies in the US would make certain public commitments, and the US government would set up an internal privacy ombudsman with responsibility to protect the privacy of personal data transferred to the US. When companies transferred personal data pursuant to this mechanism, then the United States could be deemed as offering adequate protection.
In this summer’s Schrems II case, the European high court invalidated the Privacy Shield mechanism for transfers out of the EEA. It had two main gripes with US privacy laws. First, there is a foreign intelligence law that allows the US government to access foreign data in bulk (at least as the court understood the law), which the European court considered to be overbroad and unjustified. Second, there isn’t a sufficient individual remedy for US government overreach; although there is the privacy ombudsman, that office didn’t have enough authority or independence in the eyes of the court. So Privacy Shield couldn’t be used as a mechanism to transfer data to the US.
The European court left open other avenues, such as the “standard contractual clauses,” where companies make certain additional privacy commitments. But it cast some doubt on those mechanisms. European data protection authorities have followed up the decision with guidance on how companies might combine the standard contractual clauses with other safeguards to reach a sufficient level of protection. Chief among them is that companies only send data to the US in encrypted form, and keep the key out of the US.
The Schrems II judgment obviously raised a question for the Swiss: given the similarity of their regime and GDPR, should they follow the EEA? Although the European Schrems II decision doesn’t bind the Swiss, the commissioner was persuaded that it was basically right. And so went the Swiss-US Privacy Shield along with the EU-US Privacy Shield. And, similar to the European court, the Swiss commissioner cast doubt on transfers pursuant to other mechanisms, too. It contends that its complaints about US privacy protections apply regardless of whether a company transfers data pursuant to the Privacy Shield mechanism or the standard contractual clauses (or even other mechanisms like “binding corporate rules”). Either way, the US government will claim authority to access the transferred data in bulk and without offering (in the Swiss view) adequate individual remedies. And, like the other European authorities, it suggests that the SCCs may be appropriate only when combined with safeguards that prevent the US government from accessing data, such as ensuring that the data importer is not subject to the surveillance laws, or ensuring that transferred data is encrypted and the key is held outside the US.