We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
In the VISCHER Innovation Lab, we not only work in the field of law, we also develop our solutions ourselves as far as possible from a technical point of view.
VISCHER Legal Innovation Lab
Red Ink
Careers
Categories: Data & Privacy, Blog
More than a year after the European Commission, the Swiss Federal Council has now also adopted its adequacy decision for the "Data Privacy Framework" (DPF), thus facilitating the transfer of personal data to the USA from a data protection point of view. On 14 August 2024, it decided to amend Annex 1 of the Data Protection Ordinance (DPO), which will enter into force on 15 September 2024. The amendment was overdue and is largely undisputed, at least in Switzerland.
In summary, the decision allows the transfer of personal data to US companies without further measures, provided that the companies are also certified for Switzerland under the DPF. If they are not, it is still required to enter into a data transfer agreement with them, but in this case, too, the decision increases the legal certainty of the transfer. This is relevant because violating the relevant provisions of the Data Protection Act (DPA) can be criminally sanctioned.
We had already reported on the background in detail in a blog post on 17 October 2022. The reason for this was that the US President made further assurances regarding lawful access to data transferred to the USA by the US intelligence community as part of Executive Order (EO) 14086 in order to counter (in our view primarily politically motivated) criticism of the European Court of Justice (ECJ). In the "Schrems II" decision, this had led to transfers to the USA being considered problematic under data protection law, at least if there was reason to believe that such lawful access by the US intelligence community could occur.
It is disputed whether EO 14086 is sufficient to solve the problem identified by the ECJ and a "Schrems III" decision is expected in the next few years, where this question will need to be clarified. The European Commission's latest adequacy decision, which was issued in the summer of 2023 based on EO 14086 and has since allowed a more or less unhindered flow of data between the EEA and the USA, may then also be overturned. If this happens, we will again be in a shambles. It will probably be another political decision of the ECJ, and our expectation is that EU 14086 will be considered sufficient. Switzerland has followed suit for opportunistic reasons, both with Schrems II and with the current adequacy decision. Of course, this in no way diminishes its value.
The reason it took Switzerland more than a year to follow suit with its adequacy decision was, for once, not because of Switzerland, but because the adequacy decision first required an assessment by the USA regarding the adequacy of Swiss data protection and lawful access under Swiss law, as provided for in EO 14086. This was achieved on 7 June 2024 with a decision of the Attorney General, which cleared the way for the Federal Council to issue its own adequacy decision.
The Federal Office of Justice completed its own assessment of the adequacy of data protection in the USA under the "Data Privacy Framework" and in light of the means for lawful access by US authorities on 30 April 2024 and submitted it to the Federal Council. The assessment analyses both the requirements of the Data Privacy Framework and its enforcement, as well as the possibilities for US authorities to lawfully access data that has been transmitted to the USA, and the safeguards provided by US law to that end. The assessment concludes "that the United States ensures an adequate level of protection for personal data that a controller or processor in Switzerland transfers to certified organizations in the United States under the Swiss-U.S. DPF."
Although the Federal Office of Justice's conclusion is as brief and general as that of the European Commission in the considerations of its adequacy decision a year ago, the Federal Council's decision based on the assessment is in our view a clear statement that the US authorities' ability to access data – including the much-cited CLOUD Act – is compatible with the requirements of Swiss law. It thus clearly rejects the occasional but prominent claims made by data protection authorities that the CLOUD Act is contrary to the "ordre public" of Switzerland. An expert opinion published last year made statements in this general direction. This caused and still causes confusion in the public sector as to whether it is permitted to make use of providers with a connection in the US.
The Federal Council clearly does not share these concerns (which are presumably anyway simply due to a misunderstanding of US law by some authors and data protection authorities in Switzerland), as it would otherwise never have rendered the latest adequacy decision, particularly in view of the preconditions set forth in Art. 8 para. 2 of the DPO that inter alia require compatibility of foreign lawful access laws with Swiss law. In the EU as well, there was never any serious doubt that the CLOUD Act is incompatible with European data protection; in fact, its provisions originate from the Council of Europe's Cybercrime Convention. Hopefully, this discussion is now off the table for the purposes of data protection in Switzerland (until it perhaps become an issue again in the event of "Schrems III").
However, the adequacy decision has not changed anything with regard to professional and official secrecy in Switzerland. Here, an exporter may still not have any reason to believe that, for example, the use of cloud services provided by a foreign hyperscaler will lead to lawful access by foreign public authorities. This applies to any country, be it Germany, the Netherlands, Ireland – and of course also the US. This also has nothing to do with data protection. It is only relevant for data protection insofar as controller-processor-transfer is only permissible under Swiss data protection law if it does not violate any confidentiality obligations.
Professional and official secrecy holders will therefore always have to carry out an assessment of the probability of access by foreign authorities (Foreign Lawful Access Risk Assessment, FLARA) whenever they use a cloud service or other service with a foreign nexus, for which there is an established methodology in Switzerland. Exceptions are cases in which the disclosure of secret data abroad is permitted by law, contract or by a suitable waiver, even if there is an increased risk of foreign lawful access. However, there is nowadays a recognized set of measures that can be used to reasonably restrict such access by the authorities, especially in the cloud.
The Federal Council's press release on the adequacy decision for the Swiss-US DPF refers only to the transfer of personal data to the USA to "certified" US companies. Although this is correct from the Federal Council's point of view, it is far too narrow in practice. The adequacy decision can in fact also be used for most other transfers of personal data to the USA. This is relevant because most US companies either do not have certification or are unable to obtain it; certification is not available to certain industries. Intra-group data transfers to the USA also often cannot be based on certification for business reasons.
You can find out which companies are certified here. It is always necessary to check whether the certification also covers the "Swiss-U.S. Data Privacy Framework" and not just that of the EU, and for which data category the certification has been issued (HR data or non-HR data or both).
The Federal Council's decision in favor of the USA did not conclude that US data protection law as such is adequate; in fact, there is no data protection law in the US that applies nationwide, let alone one that we would consider adequate. In order to nevertheless make it easier for US companies to transfer data by means of an adequacy decision, the USA has created the DPF, which – like its two predecessors "Safe Harbor" and "Privacy Shield" – defines a series of data protection rules (analogous to European data protection law) to which US companies can subject themselves through a declaration and certification, whereby a distinction is made between personal data of employees and other personal data.
If these companies do not comply with these data protection rules, they can be sanctioned in the USA for violating their public data protection assurances, which does happen. Together with a number of other measures, participation in this program compensates for the lack of a general US data protection law. This is why the adequacy decision only applies to certified companies. The DPF exists in a version for the EEA (and the UK) as well as one for Switzerland.
Today, US providers and US online providers such as Microsoft, Google, Meta and Amazon in particular are certified under the DPF, as they want to simplify access to and use of their services and intra-group data traffic in this way because further measures would be required without an adequacy decision. In contrast, the DPF barely plays any role in global data transfers taking place within global companies that have affiliates also in the USA. Certification would be too costly for them, as mentioned above.
This concept of a self-certification framework was never the real problem with data transfer to the USA; it has existed for years under different names. The problem was the aforementioned lawful access by the US intelligence community. This, however, affected all data transfers to the USA in the same way – including those based on the EU Standard Contractual Clauses (EU SCC). As this problem was solved with EO 14086 and as it applies to all transfers from Switzerland from the USA, i.e. including those that do not take place under the Swiss-US DPF, this also benefits transfers that rely solely on the EU SCC to ensure adequate data protection by the recipient in the US. These transfers represent the majority of cases in which data is transferred to the USA.
For most US cloud providers that operate their business via EU subsidiaries (e.g. Microsoft, AWS, Google, OpenAI), the Swiss-US-DPF is not even necessary and also does not apply: Here, data is first transferred to the EU and only from there is transferred to the USA. These stop-over-transfers have already be covered by the European Commission's adequacy decision in summer 2023. The Federal Council's adequacy decision is only relevant for direct transfers to the USA, whereby under data protection law, it is not the physical transfer that counts, but where recipient is located: If a data center is located in Ireland, but the party operating it and with whom a Swiss company has the service contract is located in the USA, then this legally represents a transfer of data to the USA, even if it stays in Ireland.
But how can you benefit from the adequacy decision when using EU SCC? Unfortunately, this is also somewhat complicated. It is necessary to take a look at Art. 14 of the EU SCC, where the parties undertake to check whether there is reason to believe that there will be problematic access by authorities in the recipient's country before transferring personal data within the framework of the EU SCC. This check is known as a "Transfer Impact Assessment" (TIA) and is generally understood to be prescribed or expected by data protection law – including in Switzerland.
If data outside the Swiss-US DPF is transferred to the USA, those who rely on the EU SCC for doing so, must therefore check-out the lawful access rights of US authorities and determine whether they are problematic or not. They must basically do the same as the Federal Council has down in its adequacy decision. Thus, the person who intends to transfer data to the USA can basically piggyback upon the Federal Council's decision and declare that, after reading the underlying assessment, they agree with the findings and conclude that the transfer of personal data to the USA is therefore unproblematic. If the Federal Council comes to this conclusion, it is unlikely that a private data exporter will be accused of not having carried out its checks correctly; in any case, we believe it would not be possible to criminally sanction them for not have complied with the data export rules of the DPA. In order to document this "pro forma" TIA, we have drafted a template (available here), as we have already done in a similar form for EU law (here).
The following chart shows how to proceed in the event of a transfer to the USA as of 15 September 2024:
Those who have already agreed to the EU SCC basically do not need to do anything unless they do not like the EU SCC for the reasons mentioned above. In this case, it may be worth adapting the contract – possibly with the aforementioned fallback mechanism. Companies that rely on Binding Corporate Rules (BCR) do not have to do anything, either. There is also generally no need for action if one of the hyperscalers or another online provider is used and if the contract has been concluded with its subsidiary in the EEA, as is usually the case with Microsoft, AWS and Google, for example: In this case, the data legally speaking flows to the EEA first and the onward transfer from there to the USA takes place under EU law and is therefore already protected under the EU-US DPF, which has already been in force since summer 2023 (exceptions may exist where, as in the case of AWS for example, the provider has stipulated in its DPA that the Swiss customer must also agree the EU SCC directly with the US parent company).
We assume that the DPF will be used in dealings with providers but will not really be trusted as a long-term safeguard – experience with it has been too bad ("Schrems I", "Schrems II"). Yet, the issue of data protection compliance in the transfer of personal data to the USA should be off the table for the time being (as mentioned, with the exception of professional and official secrets) and that is a good development. Since the adequacy decision was issued in the EU the EU data protection supervisory authorities have been rather quiet on the topic of international data transfers, and this is good in our view, as there are more important issues in data protection.
David Rosenthal
Team Head
Numerous Swiss companies as well as public organizations rely on Microsoft's cloud services. In...
Which law applies where and how? What needs to be done? Seven short training videos Some like...
Many banks, insurance companies and other Swiss financial institutions are currently working on...