On 16 July 2020, the Court of Justice of the European Union (CJEU) rendered a long-awaited decision in the case C-311/18, Data Protection commissioner v. Facebook Ireland & Schrems (Schrems II) on the validity of the EU-US Privacy Shield and Standard Contractual Clauses (SCC) as transfer mechanisms for cross-border personal data flows from the EU/EEA to third countries under the General Data Protection Regulation (GDPR). The CJEU held that the primacy of requirements of US national security, public interest and law enforcement collides with the GDPR requirements, which must guarantee respect for private and family life, personal data protection and the right to effective judicial protection. In particular, it was held that data subjects are not provided with any meaningful cause of action before a body, which offers guarantees equivalent to those required by EU law. Based on this and further arguments, the CJEU invalidated the prior Decision 2016/1250 on the EU-US Data Protection Shield. However, the CJEU held that the prior Commission Decision 2010/87 on SCC is valid. Despite that, the CJEU emphasised that SCCs do not bind the authorities of a third country to which personal data may be transferred. Consequently, the validity of SCC depends on whether effective mechanisms make it possible to ensure compliance with the level of protection required within the EU under the GDPR regime. Therefore, according to the CJEU, the transfer of personal data under SCCs must be suspended or prohibited in the event of a breach of the provisions in the SCCs or if it is impossible for the data importer to honour its obligations under the SCCs. For a further detailed information on the CJEU-case, please see: https://www.cms-lawnow.com/ealerts/2020/07/schrems-strikes-again-eu-uprivacy-shield-invalid-standard-contractual-clauses-upheld-but-due
Switzerland has been observing this decision with great interest. For those who don't know: Switzerland is not part of the European Union and therefore not directly bound by the CJEU's decision. Nevertheless, factual circumstances have made it likely for the Swiss Federal Data Protection and Information Commissioner (FDPIC) to closer assess the separate Swiss-US Privacy Shield under similar considerations. In this assessment, the adequacy of the Swiss-US Privacy Shield in relation to Swiss data protection standards is at stake. Such an assessment need not come to the same conclusions as the CJEU. However, from a practical perspective, many predicted that the FDPIC would invalidate the Swiss-US Privacy Shield in order to harmonise with the EU's status and safeguard Switzerland's adequacy level of personal data protection vis-à-vis the EU. (The EU's adequacy decision on Switzerland's data protection level is subject to a renewal soon). Also, many US providers will seek to find a single catchall solution for global collaboration with partners in Europe. This adds pressure for finding a satisfying European solution, of which Switzerland could also be part.
On 8 September 2020, the FDPC issued an official statement on the relevance of the CJEU's decision Schrems II for Switzerland. As expected, the FDPC stated that the Swiss-US Privacy Shield is not a sufficient guarantee in the sense of Art. 6 para. 2 of the Swiss Federal Data Protection Act (FADP) to establish a permissive transfer of personal data from Switzerland to data importers in the US.
As also expected, the FDPC holds that SCCs or comparable clauses (under Swiss standards) should not be considered non-suitable in principle. Yet it is suggested that for data transfers to countries not listed in the FDPIC's adequacy list, SCCs may in many cases not suffice as a contractual guarantee in the sense of Art. 6 para. 2 lit. a. FADP. In other words, SCCs are no longer viewed as a "standard" in the eyes of the FDPC. In many cases, they should only suffice if they are also supplemented with additional requirements. This principle has already been established under the EU-GDPR-regime: Based on 109 of the GDPR, controllers and processor are "encouraged" to supplement the SCC with "additional guarantees". The FADP stresses that data subjects should have meaningful and enforceable remedies against their data treatment abroad. SCCs are only considered sufficient if there are no indications to doubt compliance by the data importer with the SCC. This is also reflected in section 5 of the controller-to-processor SCC and section II of the controller-to-controller SCC, which state an assurance of the data importer that his local law does not contradict or impede the SCC.
The FDPIC emphasises that even supplementary clauses in SCCs will not bind foreign authorities and if access of foreign authorities to personal data still remains possible and the data importer cannot provide the compliance required in the SCC, the SCC could run afoul of their contractual purpose. Therefore, as a third layer, the FDPC recommends evaluating technical measures to exclude or avoid data access by foreign authorities (e.g. using encryption of personal data stored in a cloud server abroad based on the principles "bring your own key" and "bring your own encryption"; by this means no identifiable personal data should be accessible within the realm of the foreign jurisdiction). Without such technical measures or reliable SCCs (see above), the FDPIC recommends abstaining from transferring personal data in non-listed third countries based on SCC.
The far more relevant question after this expected announcement by the FDPIC: What should you as a Switzerland-based business do now?
1) Verify whether your company transfers personal data to the US based on the Swiss-US Privacy Shield (a list of providers can be found on the following Privacy Shield List: https://www.privacyshield.gov/list).
2) If such transfers take place, check whether you could mitigate risks based on contractual guarantees (SCC) instead.
In this regard, you may not trust the SCC as a genuine "standard", but should conduct a risk assessment of whether existing data protection risks can be covered by SCC (possibly with supplementary clauses). In this context, it is required to consider the position of the data importer in his local jurisdiction and whether local authorities have special access to his data. In this regard, it is likely that local expert opinions will gain more relevance in the future. In this context, it is pertinent to mention that the US is not the only country in which authorities may have far-reaching access rights to data. Thus, a differentiated review of local jurisdictions is recommended. For compliance purposes, such risk assessments should be documented and safeguarded in the event that supervisory authorities will knock on your door and request more information.
In regard to supplementary clauses in the SCC, it is controversial to which extent compliance with SCCs can be strengthened with such clauses. The underlying message of the FDPC (and the prior CJEU-decision Schrems II) is that one cannot simply sign a SCC as a formality without making further enquiries into the data protection laws of the data importer's countries and without verifying the data importer's compliance with the SCC. One should pay closer attention to the precise terms of SCCs and make sure that they really live by them (not just on paper). One way to address this, is by establishing audit rights of the data exporter, notification obligations in the event of data access requests by authorities or changing legislation, and reaction procedures (i.e. how a data importer should react to lawful access requests, such as first seeking to obtain protective briefs for personally identifiable data etc.). Should a data importer not comply or be in a position to comply with the SCCs, data transfers should be suspended or terminated.
Despite the abovementioned supplementary measures, contractual measures are of limited effect. Contracts only apply inter partes and cannot "heal" flaws in the jurisdiction of the data importer. Therefore, as a third layer, if SCCs provide no reliable alternative (see above), of protection through technical measures must be considered as in the following.
3) If the risk of access by authorities cannot be mitigated by SCCs based on the position of the data importer, technical measures should be taken to effectively prevent access (e.g. "bring your own key" when the recipient does not have the necessary key to decrypt data). Such solutions are often implemented within a large group of companies (to safeguard information within the same group). However, "bring your own key" is technically difficult to implement vis-à-vis multiple data importers abroad (each data importer as a "key owner" usually has different requirements) and often not even offered by them. In such cases, the FDPC recommends that personal data not be transferred to the data importer based on SCCs.
4) Finally, the existing legal framework also provides other data transfer protection mechanisms than the Privacy Shield or SCC, which should be commemorated. For example, transferring personal data abroad is possible with the express consent of the data subject (Art. 6 para. 2 lit. b. FADP). This mechanism remains available, but will only be considered valid if the data subjects were informed in detail about circumstances of the transfer and the impact on their personal data. Otherwise, such consent would likely be considered invalid. Furthermore, other data transfer protection mechanisms, such as Binding Corporate Rules for group internal transfers remain available.
5) Finally, a question frequently raised is how to deal with personal data that has already been transferred to data importers under the Swiss-US Privacy Shield in the past. What exactly is to conduct with such data? Could or should a data controller request that all of this data is to be returned immediately to the data controller as long as the legal gap has not been closed with a new contractual arrangement? In our view, re-transferring of personal data is rather a disproportionate measure to implement. Past data transfers were compliant under the old regime. The current legal gap caused by the invalidation of the Swiss-USA Privacy Shield can be remedied by adding security measures and/or undertaking of SCC with supplementary clauses to "heal" the processing of personal data already transferred. Re-transferring could be reserved as an ultima ratio measure if the data exporter and the data importer are unable to agree on new measures and the data importer is not capable of meeting the requirements under the SCCs. In this case, the guidance of the FDPC is clearly to suspend or terminate data transfers.
The EU-Commission has announced that it will enter into new negotiations with the United States on a follow-up framework to the Privacy Shield. If and until such new framework has been built up, data transfers to unsafe third countries are burdened with data privacy risks and the measures mentioned in 1) to 5) should be considered and/or implemented as a temporary solution.