Switzerland: FDPIC finds that Swiss-US Privacy Shield does not provide adequate level of protection
It was confirmed, on 8 September 2020, with Eugen Roesle, Attorney-at-law and Deputy Head of the Legal & Privacy Consulting Department at Swiss Infosec AG, that the Federal Data Protection and Information Commissioner ('FDPIC') announced that, following its assessment of the Swiss-US Privacy Shield, it has concluded in its position paper ('the Paper') that the Swiss-US Privacy Shield does not guarantee an adequate level of protection regarding data transfers from Switzerland to the US.
In particular, Roesle noted, "In its analysis, the FDPIC closely aligns with the assessment of the European Data Protection Board ('EDPB'). Besides coming to the conclusion that the Privacy Shield is not a suitable measure anymore for safeguarding transatlantic data transfers, in many cases, the alternative use of Standard Contractual Clauses currently stands on very shaky ground. In light of the fact that Switzerland longs to keep its status as a country with an adequate level of data protection, this development, however, may not come as surprise."
In addition, the FDPIC highlighted in its Paper that, as Switzerland and the EU mutually recognise their data protection legislation as equivalent, the FDPIC agrees with the EDPB's criticisms concerning the access to data by US authorities. Moreover, the FDPIC outlined, among other things, that some principles enshrined under the Federal Act on Data Protection ('FADP') are not respected under the Swiss-US Privacy Shield, including the lawful processing of personal data and the right to legal recourse.
Lastly, the FDPIC noted that its assessment of the Swiss-US Privacy Shield is subject to deviating rulings by Swiss courts and that it does not influence the existence of the Privacy Shield. More specifically, the FDPIC stated that that the Privacy Shield can be invoked by persons concerned in Switzerland as long as it is not revoked by the US.