Close
What would you like to look for?
Site search

17 October 2022

EU-U.S. Data Privacy Framework: When and how it will apply to Switzerland

On October 7, 2022, the US President signed an Executive Order (EO) designed to resolve the current issues when having personal data transferred from Europe to the US. A lot has been published about it already, and there is already a heated, sometimes emotional debate whether the new "Data Privacy Framework" (DPF) will withstand scrutiny by the European data protection authorities and, finally, the European Court of Justice. A "Schrems III" decision is likely.

But what about Switzerland? Will the DPF also apply to data transfers from Switzerland? Will it have to be recognized by the Federal Council? And when will this happen? Here are answers.

Becoming a "qualifying state"

To begin with, the EO does not even mention the EU, let alone Switzerland. It is designed in a more flexible manner:

  • To begin with, the US government promises that some of the protections in the EO will apply to all data transfers to the US, regardless from where they originate (we will talk about the scope a bit further below). It should be noted that several of these measures or restrictions are, in fact, not new. They can be found in the presidential directives and policies of the US intelligence authorities that already existed before the EO (PPD-28, EO 12333). Note that the EO can be changed at any point in time by the US President.
  • The much cited "redress" mechanism, i.e. the possibility for a non-US-person to file a complaint to an impartial and independent body (European law does not require it to be a court) is open only to individuals in "qualifying states", or – to be precise – to individuals who are permitted to submit such complaints through a qualifying state. It is the US Attorney General who ultimately designates a country (or group of countries, such as the EU) to be a qualifying state. As per the EO they may only do so under certain conditions, including (i) the existence of mutual protections for US persons with regard to signals intelligence in the qualifying state and (ii) where the qualifying state permits or is anticipated to permit commercial transfers of personal data to the US. The first condition will likely not be an issue in the case of Switzerland, the second condition is the more interesting one. It will result in a certain pressure on the data protection authorities. Furthermore, the "redress" mechanism only works for complaints submitted through an authority of the qualifying state, i.e. individuals can not submit complaints directly, but have to do so through the authorities of the qualifying state.

This means that Switzerland will need to negotiate with the US to become a "qualifying state", and as part of this will have to convince the US that personal data transfers to the US will be permitted under Swiss data protection law. The resulting diplomatic discussions will also have to include designating an authority in Switzerland (e.g., the Federal Data Protection and Information Commissioner) for the purpose of having complaints submitted under the new redress mechanism in the US. Switzerland will have to define who will be able to use it.

Let's wait-and-see

Since the most likely scenario is that Switzerland will want to wait and see what the European Commission do with regard to the new DPF (it is expected to support it) and given that such discussions take some time, we would be (positively) surprised to see the new DPF applying to transfers from Switzerland much before the revised Data Protection Act comes into effect on September 1, 2023. In fact, with the new law Switzerland for the first time has the possibility to authoritatively rule that personal data transfers to the US are permitted, which today neither the Federal Data Protection and Information Commissioner (FDPIC) nor the Federal Council can do.

Note that some work also needs to be done on the US side. While the EO has been signed, the new protections still need to be implemented. The US government has one year to implement them by issuing the relevant policies. Hence, there is also no rush for the FDPIC to take any actions. He can also wait and see what the European Commission and – more importantly – the EU data protection authorities do. He will most likely simply follow more or less their position.

We do note that the new redress mechanism has a feature that is similar to a practice that has already been established under Swiss law for years: While it offers the possibility to non-US individuals to (through the aforementioned mechanism) complain that certain of their rights under US law have been violated by US intelligence authorities, these individuals will not immediately learn whether that really has been the case. They will (at first) only be informed that their case has been considered and any necessary remedy determined, but not whether they had been subject to surveillance nor whether their rights were violated. Only after at least five years might the individual be granted access to the file. A similar concept also applies under the Federal Intelligence Act, with the FDPIC being the independent review board. 

The EO alone is not adequate

Will all the issues concerning data transfers to the US go away soon? No.

This is because the EO alone already by design will not cause the US to be considered as having an adequate level of data protection. It merely attempts to tackle the "Schrems II" finding that the US has some forms of lawful access that are considered problematic and, therefore, requires us to do "Transfer Impact Assessments" (TIA) when transferring personal data using the European Commission's Standard Contractual Clauses (EU SCC). To be recognized as a country with an adequate level of data protection, the US would also have to issue a federal data protection law that satisfies European standards, which it has not done yet and is not expected to do anytime soon.

Therefore, the US will "only" launch revised version of the former "Privacy Shield Framework" program (which will be renamed to "EU U.S. Data Privacy Framework Principles") and ask the European Commission to accept it as providing an adequate protection pursuant to Art. 45 GDPR, now backed by the additional protections under the new EO. It is expected that the Federal Council will do the same, when the US offers the program to Switzerland, which is to be assumed will happen. Note that the US continued to administer the Privacy Shield program despite the uncertainties. It is not yet clear what changes will become necessary under the new program and what that will mean for those US companies that have already been self-certified under the old Privacy Shield program. For daily practice this means that if an exporter in Europe wants to undertake a data transfer to the US without using the EU SCC, it may only do so to a US company that has been self-certified under the new program. This will also take some time.

The majority of transfers will continue to rely on the EU SCC. Here, hopefully only a pro-forma TIA will be necessary in the future for US transfers using the EU SCC should the new EO be found to fully "cure" the issues of US law that resulted in the "Schrems II" decision.

It will be interesting to see which position the European Data Protection Board (EDPB) will take because the adequacy decision that is expected from the European Commission will likely focus on the new DPF program for self-certified US companies for the reasons stated above. The onus will be on an exporter using the EU SCC to decide whether it can adopt the same reasoning when complying with Clause 14 of the EU SCC, i.e. when doing a TIA, and take the position that thanks to the new EO the potential lawful access by the NSA is no longer problematic from a EU law point of view. This is why guidance by the European data protection authorities and, thus, the EDPB as their joint body, will be relevant, and not only of the European Commission.

We see three main possible reactions of the EPDB: They consider the EO effective with regard to the "Schrems II" issues, in which case also those who use the EU SCC can relax until a contrary decision by the ECJ; they would no longer to check for the risk of a lawful access by a US authority, at least for "normal" data transfers (in the area of professional and official secrecy nothing changes, of course). The EDPB could also conclude that the new EO, while a step in the right direction, is not yet sufficient and the EDPB therefore "recommends" that exporters continue to take certain measures, such as "in-transit" encryption, in order to avoid NSA bulk data collections on Internet backbones (most of these measures will anyhow be necessary already for achieving an adequate level of data security). In this case, a reduced TIA could still be necessary. We consider this possibility much less likely.

If the EU data protection authorities come to the conclusion that the EO is ineffective from their point of view, a TIA will (in their view) continue to be necessary as is today – irrespective of an adequacy decision (which only concerns transfers in accordance with the "EU U.S. Data Privacy Framework Principles"). This is because the adequacy decision would likely only cover those transfers that take place under the new DPF program, which requires a self-certification by the data recipient in the USA. Such a certification will be too much of a burden for many companies, especially companies that are not providers and, therefore, not in the focus of the NSA. Hence, in this unlikely scenario, except for US-based providers, who we expect to be certified, all other would not be safe under the new EO. In this case, the exporters would again find themselves between a rock and a hard place. The adequacy decision would be a good argument for the EO being effective, but formally it would not apply out the scope of the decision. We really hope that the data protection authorities do not decide to move along this path of confrontation.

That said, if and when the ECJ were to in a few years rule in a potential "Schrems III" case, we may again find ourselves back to the current unfortunate situation.

To that end, we expect that the EDPB will feel immensely under pressure to accept the new EO as a great opportunity to – without losing its face – move us all out of the corner in which the EEA data protection authorities have unfortunately maneuvered us into in the wake of "Schrems II". If they act tactically, they will either remain vague or conclude that it is better to go with the new EO even if there are aspects that are not fully satisfactory or clear. This will result in the "hot potato" being passed along to the ECJ.

Legal challenges

The ECJ may find itself in the same situation, should Max Schrems' NOYB decide to attack a transfer based on new DPF program (as with "Schrems II"), which is probably easier than attacking a transfer under the EU SCC. The entire case is in any event a highly political matter and many will fail to see the real and tangible benefits that the entire exercise will have for data subjects. Those criticizing the EO are, of course, also right in pointing out that many safeguards remain unclear under the new EO. Some of them have already been raised, and some others may come more into focus in the future, such as the scope of the EO, which is limited to "signals intelligence" without such term being defined – does it really cover all data collections under Section 702 FISA?

Hence, our practical advice is to for the time being to continue business as usual, including by doing TIAs. Even if the EPDB deems the EO to be effective with respect to the "Schrems II" issue, exporters will likely not be able to rely on it for another six to twelve months, as the EO must first be implemented in the U.S., and it also only applies in substance once the U.S. has recognized the EU or Switzerland, respectively, as a "qualifying state." At present, the EO does not provide a legal basis for dispensing with TIAs and does also not require any change.

We do not expect European data protection authorities to undertake any significant amount of enforcement action against data transfers to the US except against visible use cases of selected big tech companies like Google, Meta, Microsoft or AWS (but for some reason not against others such as Apple or Oracle!) or in cases where they are more or less "forced" to do so. Most of our own current client work involving TIAs is, however, not focused on data transfers to the US, but to other countries in the world, of which there are many that have lawful access laws that are much more problematic than those in the US.

Category: Data & Privacy

Author

You are currently offline. Some pages or content may fail to load.