Swiss Data Protection Authority Concludes Swiss-US Privacy Shield No Longer Valid for Swiss-US Transfers

Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.

Although the Swiss-U.S. Privacy Shield has not officially been invalidated by the Swiss Federal Council and therefore still remains in force, given these conclusions of the FDPIC, organizations relying on the Swiss-US Privacy Shield should look for alternative data transfer mechanisms in order to legitimize transfers of personal data from Switzerland to the US, e.g., standard contractual clauses (“SCCs”).

The FDPIC has not yet opined on the validity of the use of SCCs and, in particular, the need to implement additional safeguards to protect personal data transferred to certain third countries (e.g., China, India and the US).  However, given the CJEU’s judgment in Schrems II and the subsequent guidance published by the European Data Protection Board (“EDPB”), organizations based in Switzerland should monitor this issue very closely.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.