Article written by Haim Ravia and Dotan Hammer
On September 8, 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) held that the specially crafted Swiss-US Privacy Shield program, established in 2017, does not provide an adequate level of protection for transfers of personal data from Switzerland to the US under the Swiss Federal Act on Data Protection.
The FDPIC’s decision essentially follows the footsteps of the landmark judgment of the Court of Justice of the European Union (CJEU) in July, which invalidated the EU-US Privacy Shield program due to the insufficient protection that the US government affords to personal data. Because Switzerland is not a member state of the EU, the Swiss-US Privacy Shield program is not bound by the CJEU’s decision to invalidate the EU-US Privacy Shield Program. However, the FDPIC indicated that in consideration of the general principle of the rule of law and the need for legal certainty, it feels compelled to reassess the status of the Swiss-US Privacy Shield program.
The FDPIC reassessment found materials flaws in the lack of transparency regarding the US government’s mass collection of non-US citizens’ data for national security purposes and the resulting absence of guarantees concerning the interference of US authorities with the privacy rights of Swiss data subjects.
The FDPIC concluded that US data protection is insufficient, even for the processing of personal data by US companies that are certified under the Swiss-US Privacy Shield program. The FDPIC concluded that the US must be removed from the Swiss list of data-protection adequate countries.
CLICK HERE to read the policy paper regarding the transfer of personal data to the US, issued by the Swiss Federal Data Protection and Information Commissioner.