Schrems II Decision Extends to Swiss-US Privacy Shield; Agreement Found Inadequate After Annual Review

The unexpected Schrems II decision was a major blow to digital trade across the Atlantic, invalidating the EU-US Privacy Shield agreement and forcing companies to very quickly revamp their data handling processes. There was some question as to whether this ruling would extend to the similar Switzerland-US Privacy Shield agreement, and that question has now been answered by a Swiss annual review: it’s just as dead, for identical reasons.

Swiss-US Privacy Shield no longer valid

Though Switzerland is not a member of the EU and not strictly subject to the terms of the GDPR, it has essentially been forced to adopt many of its terms into national law due to its position and reliance on trade with EU partners. Though there are a number of key differences between the Swiss Federal Act on Data Protection (FDAP) and the GDPR, the FDAP has been under a process of continual revision to make it more compatible with GDPR terms since the European law went active in 2018.

Swiss national data protection law is directly compared by the EU to the levels of protection offered by the GDPR to determine adequacy and retain “trusted nation” status as a data transfer partner, something more vital to Switzerland than to most other nations due to its geographic position and trade treaties with its neighbors.

While Switzerland was not included under the EU-US Privacy Shield, it set up a nearly identical data transfer mechanism using the same name. Though it’s run by the country’s own Data Protection Authority (DPA) rather than those of Europe and it contains a few substantial differences, it largely mirrors the EU-US arrangement so as to match up with key GDPR requirements.

A recent review by Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has determined that the Swiss-US relationship can thus no longer be considered adequate due to the Schrems II ruling just as the EU-US version already has. The decision was part of an annual review of the program’s terms and was largely expected by observers, though there was some question due to stronger terms regarding the handling of Swiss resident data in the Swiss-US agreement. The FDPIC found that these added protections were not enough to be adequate to maintain the agreement given the stipulations of the Schrems II ruling.

The move does not strictly invalidate the Privacy Shield agreement, as the FDPIC does not have that authority in Switzerland. However, it does render it effectively useless on its own as the US is now listed as a non-trusted data transfer partner for whom substantial extra security measures are required.

The US would have to choose to invalidate the agreement for it to formally end, but that seems unlikely to happen as the FDPIC also found that standard contractual clauses (SCCs) and binding corporate rules (BCRs) created under the terms of the agreement may still be legally adequate at an individual level provided that they can pass a risk assessment conducted by the FDPIC. These individual agreements might be kept valid via implementation of “additional safeguards” that ensure that the US government does not have unfettered access to the personal data being handled.