On September 1, 2023, the new Swiss Data Protection Act (nDPA or act) and the new Data Protection Ordinance (nDPO or ordinance) will enter into force. The new ordinance regulates, inter alia, the transfer of personal data to third countries. Personal data may be freely transferred only if the Swiss Federal Council has determined that the legislation of the state where data is transferred provides an adequate level of data protection. When the Federal Council has determined that the legislation of a state offers an adequate level of protection, the free flow of personal data from Switzerland to the recipient state is guaranteed for both the private and public sectors. In other words, it is not necessary to guarantee an adequate level of protection through other means, such as contractual clauses; instead, the mere application of the law is sufficient.
States that guarantee an adequate level of protection
Under the nDPA, the Federal Council, after consulting with the Federal Data Protection and Information Commissioner (FDPIC), draws up a list of states, indicating for each the level of data protection provided.
Currently, the Federal Council deems that countries with legislation providing sufficient protection are
- the countries of the European Economic Area (EEA)
- Andorra, Argentina, Canada*, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Monaco, New Zealand, United Kingdom, Uruguay
* subject to certain conditions
The Federal Council’s list is particularly restrictive and does not include certain countries that are included in the European Union (EU) Adequacy List, such as Japan and South Korea. The level of protection will be periodically re-evaluated after the ordinance comes into force.
New U.S. executive order on U.S. intelligence activities to implement EU-U.S. Data Privacy Framework
The United States is not deemed to have sufficiently protective legislation and is therefore not included in the current draft list; however, this could still change before the entry into force of the nDPA. In its July 2020 Schrems II decision, the Court of Justice of the European Union (CJEU) expressed particular concern that U.S. national security intelligence gathering laws prevent U.S.-based entities from providing protections “essentially equivalent” to those that the EEA offers under its General Data Protection Regulation. Although Switzerland is not a member of the EU and therefore not legally bound by the CJEU ruling, the FDPIC, in view of this situation, felt compelled to remove the U.S. from the FDPIC’s list of countries.
Even so, on October 7, 2022, U.S. President Joe Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (Executive Order). This order is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) (also see our article on the Sidley Data Matters Privacy Blog: US-EU Data Transfer Framework Signals Strengthened Collaboration). The Executive Order shall create additional safeguards, limit the ability of U.S. intelligence agencies to collect data, and, in particular, provide for
- binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security
- the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court (DPRC), in order to investigate and resolve complaints regarding access to their data by U.S. national security authorities
Next steps in the EU and Switzerland
It is expected that the European Commission (EC) will now propose a draft adequacy decision and launch its adoption procedure. After the adequacy decision enters into force (assuming that it does), data will be able to flow freely between EU and U.S. companies, which, under the DPF, commit to comply with a detailed set of privacy obligations and are certified by the U.S. Department of Commerce.
The FDPIC has stated that he has taken note of the fact sheet released by the U.S. regarding the DPF and is analyzing it. The FDPIC is not expected to modify its adequacy list before the EC has rendered a new adequacy decision. Like the EU, Switzerland would need to be designated as a “qualifying state” by the U.S. attorney general, which requires reciprocal commitments by Switzerland to protect U.S. interests and the personal information of U.S. persons. However, it is expected that once these requirements are met, a Swiss-U.S. Trans-Atlantic Data Privacy Framework (Swiss DPF) will also be negotiated, and Switzerland will add the U.S. back into the “adequate protection under certain conditions” category. Free and safe data flow between Swiss and U.S. companies certified under a new Swiss DPF will then be allowed.