In a much anticipated ruling, this month the Swiss Data Protection Authority concluded that the EU-US Swiss Privacy Shield was no longer an adequate method for transferring personal information from Switzerland to the US. In reaching this decision, the Swiss data protection authority agreed with the recent, similar, EU decision of inadequacy. Like the EU, Switzerland anticipates those transferring personal information from Switzerland to the US to rely on standard contractual clauses. However like the EU, Switzerland cautions that companies should assess “on a case-by-case basis” whether the recipient provides sufficient protection.
The policy paper from the Swiss authority provides not only a list of factors that Swiss companies can take when determining whether to transfer data to the US, but also outlines the interplay between Swiss and EU laws (keeping in mind, of course, that Switzerland is not a member of the EU). Noting that Switzerland is not bound to the recent Schrems II decision that resulted in the downfall of the EU-US Privacy Shield adequacy, it did indicate times where EU courts would expect Swiss companies to observe EU law. With this in mind, the Swiss data protection authority felt it necessary to reassess the US-Swiss Privacy Shield, and in doing so, reached the same conclusion as the EU (i.e., that it was not adequate).
Putting it Into Practice: This decision places transfers from Switzerland to the US on the same footing as those from the EU. Companies engaging in these activities will likely turn to Standard Contractual Clauses, but should keep in mind the suggestions raised by both the EU (which we covered here) and Switzerland when implementing them.