Flags of US and Switzerland painted on cracked wall showing Swiss-US Privacy Shield invalidated due to Schrems II decision

Schrems II Decision Extends to Swiss-US Privacy Shield; Agreement Found Inadequate After Annual Review

The unexpected Schrems II decision was a major blow to digital trade across the Atlantic, invalidating the EU-US Privacy Shield agreement and forcing companies to very quickly revamp their data handling processes. There was some question as to whether this ruling would extend to the similar Swiss-US Privacy Shield agreement, and that question has now been answered by a Swiss annual review: it’s just as dead, for identical reasons.

Swiss-US Privacy Shield no longer valid

Though Switzerland is not a member of the EU and not strictly subject to the terms of the GDPR, it has essentially been forced to adopt many of its terms into national law due to its position and reliance on trade with EU partners. Though there are a number of key differences between the Swiss Federal Act on Data Protection (FDAP) and the GDPR, the FDAP has been under a process of continual revision to make it more compatible with GDPR terms since the European law went active in 2018.

Swiss national data protection law is directly compared by the EU to the levels of protection offered by the GDPR to determine adequacy and retain “trusted nation” status as a data transfer partner, something more vital to Switzerland than to most other nations due to its geographic position and trade treaties with its neighbors.

While Switzerland was not included under the EU-US Privacy Shield, it set up a nearly identical data transfer mechanism using the same name. Though it’s run by the country’s own Data Protection Authority (DPA) rather than those of Europe and it contains a few substantial differences, it largely mirrors the EU-US arrangement so as to match up with key GDPR requirements.

A recent review by Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has determined that the Swiss-US relationship can thus no longer be considered adequate due to the Schrems II ruling just as the EU-US version already has. The decision was part of an annual review of the program’s terms and was largely expected by observers, though there was some question due to stronger terms regarding the handling of Swiss resident data in the Swiss-US agreement. The FDPIC found that these added protections were not enough to be adequate to maintain the agreement given the stipulations of the Schrems II ruling.

The move does not strictly invalidate the Privacy Shield agreement, as the FDPIC does not have that authority in Switzerland. However, it does render it effectively useless on its own as the US is now listed as a non-trusted data transfer partner for whom substantial extra security measures are required.

The US would have to choose to invalidate the agreement for it to formally end, but that seems unlikely to happen as the FDPIC also found that standard contractual clauses (SCCs) and binding corporate rules (BCRs) created under the terms of the agreement may still be legally adequate at an individual level provided that they can pass a risk assessment conducted by the FDPIC. These individual agreements might be kept valid via implementation of “additional safeguards” that ensure that the US government does not have unfettered access to the personal data being handled.

How far does Schrems II reach into Switzerland?

The decision is both similar and different to the invalidation of the EU-US Privacy Shield by Schrems II. It’s similar in the sense that the general framework is no longer adequate, but that there is still some potential room for companies to operate using SCCs and BCRs. It’s different in that there appears to be more room for companies to continue transferring personal data under carefully constructed SCCs and BCRs, at least going by the wording of the initial review.

While the EU-US Privacy Shield arrangement technically provides for the ability to continue using SCCs and BCRs, the direct application of the Schrems II ruling puts things on more shaky legal ground there. The crux of the Schrems II ruling is the belief that the US government has virtually unlimited access to the data being handled by private companies in the country, ergo any arrangement cannot be considered to adequately protect the privacy of EU citizens unless it specifically lays out data security measures to prevent government access. Privacy advocate Max Schrems has expressed the desire to continue pressing the case forward and invalidate SCCs and BCRs entirely on this basis, something that could still potentially happen.

SCCs and BCRs created under the terms of the agreement may still be adequate provided that they can pass a risk assessment conducted by the FDPIC. #PrivacyShield #respectdataClick to Tweet

It’s also true that Swiss-US SCCs and BCRs must also now pass a review that ensures that US government access to Swiss personal data is sufficiently limited. However, the Swiss-US Privacy Shield is not fully invalidated and the Schrems II ruling has no direct legal bearing in the country. Switzerland’s primary concern is adequacy in maintaining its trading status with the EU, something that might not necessarily require the same level of data protection requirements.