Swiss Federal Council Approves US Data Privacy Framework: What It Means for Data Transfers

More than a year after the European Commission, the Swiss Federal Council has now also passed its adequacy decision for the “Data Privacy Framework” (DPF) of the United States, thus facilitating the disclosure of personal data to the United States in terms of data protection. On 14 August 2024, it decided to amend Annex 1 of the Data Protection Regulation (DPO), which will enter into force on 15 September 2024. The adjustment was overdue and is largely undisputed, at least in Switzerland.

In summary, the decision allows the transfer of personal data to US companies in the United States without further measures, provided that the companies are also certified for Switzerland under the DPF. If they are not, a data protection agreement with them is still required, but even in this case the decision increases the legal certainty of the transfer. This is relevant because the violation of the relevant requirements of the Data Protection Act (DSG) can be punishable.

The political background of the matter

The reason for this was that the US President made further assurances under Executive Order (EO) 14086 regarding intelligence access to data transmitted to the United States in order to counter the (in our opinion primarily politically motivated) criticism of the European Court of Justice (ECJ). In the “Schrems II” decision, this had led to transfers to the United States being problematic under data protection law, at least if there was reason to believe that such access could occur.

It is controversial whether EO 14086 is sufficient to solve the problem identified by the ECJ, and a “Schrems III” is expected in the next few years, where exactly this question should be clarified. Then the European Commission’s latest adequacy decision, which was issued in the summer of 2023 on the basis of EO 14086 and has since enabled a virtually unhindered flow of data between the EEA and the United States, may also be overturned. If this happens, we will have another pile of shards. It will probably be another political decision on the part of the ECJ, but we consider the chances to be good that the Commission’s adequacy decision will stand up to scrutiny. Switzerland has followed suit for opportunistic reasons, both with Schrems II and with the current adequacy decision. Of course, this does not diminish its usefulness in any way.

Mutual review

For once, the reason why Switzerland needed more than a year to follow up with its adequacy decision was not due to Switzerland, but to the fact that it first required an assessment of the adequacy of Swiss data protection and access by authorities under Swiss law by the United States, because EO 14086 provides for this. The necessary decision by the US Federal Prosecutor General was issued on 7 June 2024, which cleared the way for the Federal Council to issue the adequacy decision.

On 30 April 2024, the Federal Office of Justice completed its assessment of the adequacy of data protection in the United States under the “Data Privacy Framework” and in the light of the possibilities for access by authorities (so-called lawful access) and submitted it to the Federal Council. In it, it analyzes both the requirements of the Data Privacy Framework and its enforcement, as well as the official options for U.S. authorities to access data in the United States and measures to protect data subjects. The assessment concludes “that the United States ensures an adequate level of protection for personal data provided by a controller or a processor in Switzerland within the framework of the Swiss-U.S. DPF to certified organizations in the United States.”

End of the dispute over the CLOUD Act?

Although the Federal Office of Justice is as concise and general in its conclusion as the European Commission had previously been in the considerations of its adequacy decision a year ago, the Federal Council is making it clear with its decision based on it: The US authorities’ access to data – and this includes the much-cited “CLOUD Act” – is easily compatible with the requirements of Swiss law. In doing so, he clearly rejects the isolated but prominent claims made by data protection circles that the CLOUD Act is contrary to “ordre public”. An expert report published last year also took this line. This caused some confusion, especially in the area of public administration, regarding the question of the permissibility of the use of providers with a US connection.

The Federal Council obviously does not share these concerns (they are probably due to a mere misunderstanding of US law on the part of certain authors and data protection authorities anyway). Otherwise, in view of the requirements of Art. 8 (2) DSV, it would never have been allowed to make the adequacy decision; among other things, it follows from these requirements that lawful access in the United States must be compatible with the local ideas of a constitutional state. In the EU, too, it was never seriously assumed that the CLOUD Act was incompatible with European data protection; after all, its regulation comes from the Cybercrime Convention of the Council of Europe. We hope that this discussion for data protection is now hopefully off the table (until it flares up again with “Schrems III”).

Professional secrecy and official secrecy: Everything the same

However, nothing has changed with the adequacy decision with regard to professional and official secrecy. In this case, there must still be no reason to assume that, for example, the use of cloud services of a foreign hyperscaler will lead to foreign lawful access. This applies to all authorities outside Switzerland, whether in Germany, Holland and Ireland or even in the United States, and has nothing to do with data protection itself. The topic is only relevant for data protection insofar as order processing is only permissible under data protection law if it does not violate any confidentiality obligations.

Professional and official secrecy holders will therefore have to carry out a Foreign Lawful Access Risk Assessment (FLARA) whenever they use a cloud service or other service with a foreign connection, for which there is a now established methodology in Switzerland gives. Exceptions are cases in which the disclosure of secret data abroad is permitted by law or contract, or by means of a suitable waiver, even if there is an increased risk of access by the authorities. Today, however, there is now a recognized set of measures that can be used to reasonably restrict such access to authorities, especially in the cloud.

Only for certified companies

The Federal Council’s press release on the adequacy decision for the Swiss-US DPF only refers to the transfer of personal data to the United States to “certified” US companies. In his view, this is correct, but far too narrow for practice. In fact, the adequacy decision can also be used for most other transfers of personal data to the United States. This is relevant because most U.S. companies either don’t have certification or can’t get it at all. For example, certification is not open to certain industries. Certification cannot be used as a rule for intra-group data traffic to the United States either, because it makes no business sense.

Which companies are certified can be found here. It is always necessary to check whether – as usual – the certification also meets the “Swiss-U.S. Data Privacy Framework” and not only that of the EU, and for which data category the certification has been carried out (HR data or non-HR data).

What is the Data Privacy Framework?

The Federal Council’s decision for the United States did not describe US data protection law as appropriate. A uniform, let alone appropriate US data protection law does not yet exist. In order to make it easier for US companies to transfer data by means of an adequacy decision, the United States has launched the DPF, which – like its two predecessors “Safe Harbor” and “Privacy Shield” – defines a set of data protection rules (analogous to European data protection law) to which US companies can submit themselves by means of a declaration and certification, whereby a distinction is made between employee data and other personal data.

If these companies do not comply with these data protection rules, they can be prosecuted in the United States for violating their public data protection assurances, which is certainly the case. Together with some other measures, participation in this program thus compensates for the lack of a US data protection law. Therefore, the adequacy decision only applies to certified companies. The DPF is available in a version for the EEA (and UK) as well as for Switzerland.

Today, US providers and US online providers such as Microsoft, Google, Meta or Amazon are certified under the DPF, which want to simplify the use of their services and intra-group data traffic in this way, because further measures are required without an adequacy decision. In global data traffic, which takes place between the various group companies, for example, in large corporations, the DPF hardly plays a role. As mentioned, certification would be too time-consuming for them.

The real challenge was not the DPF

Now, this concept of self-certification has never been the real problem with data transfer to the United States; it has existed for years under changing names. The problem was the aforementioned intelligence service accesses. However, these apply to all data transfers to the United States in the same way – including those that have been made on the basis of the EU Standard Contractual Clauses (EU SCCs). Since this problem has been solved, at least for the moment from the Federal Council’s point of view, with EO 14086 and from the point of view of the United States this now applies to all transfers from Switzerland, i.e. even those that are not carried out under the Swiss-US DPF, those who rely only on the EU SCC for appropriate data protection for the recipient in the United States will also benefit. These, in turn, are the most cases in which data is transferred to the United States.

Incidentally, for most US cloud providers that operate their business via EU subsidiaries (such as Microsoft, AWS, Google, OpenAI), the Swiss-US DPF is not necessary at all or does not apply anyway: Here, data is first transferred to the EU and only from there to the United States – and has thus benefited from the European Commission’s adequacy decision since the summer of 2023. The Federal Council’s adequacy decision is only relevant for direct transfers to the United States, whereby data protection law does not focus on the physical transfer, but on where the recipient is legally located. If the data center is located in Ireland, but the person who operates it and with whom a Swiss company has the contract is in the United States, this is legally a transfer of data to the United States, even if the data remains in Ireland.

Relevance of the decision for the deployment of the EU SCC

But how can the adequacy decision be benefited from when using EU SCC? Unfortunately, this is also a bit complicated. For this purpose, it is necessary to take a look at Art. 14 of the EU SCC, where the parties undertake to check whether there is reason to believe that there will be problematic access by authorities in the country of the recipient before transferring personal data within the framework of the EU SCC. This examination is called “Transfer Impact Assessment” (TIA) and is generally understood to be required or expected by data protection law – even in Switzerland.

If data is now transferred to the United States outside the Swiss-US DPF, the person who relies on the EU SCC as a protective measure must check for himself what possibilities of access to the authorities exist in the United States and whether they are problematic. It must therefore basically do the same as the Federal Council in its adequacy decision. This one comes at just the right time: Anyone who wants to transfer the data to the United States can basically make it easy for themselves and, after reading the Federal Council’s remarks, declare that he sees it the same way and that the transfer of personal data to the United States is therefore unproblematic. If the Federal Council comes to this conclusion, it is unlikely that a private data transmitter will be accused of not having carried out its audit correctly; in any case, it will not be possible to twist a rope out of it under criminal law. In order to document this “pro forma” TIA, we have drafted a template (available here), as we have already done in a similar form for EU law (here).

How to proceed in concrete terms?

The following points show how to proceed in the event of a transfer to the United States from September 15, 2024:

1. Check the DPF program websiteto see if the recipient is certified in the program. It is important to ensure that the certification also covers the relevant data categories. A distinction is made between data about employees (“HR Data”) and other data (“Non-HR Data”). Note: According to a German report, there are allegedly different opinions as to whether the certification for “HR data” only covers that of the importer (supposedly the US view) or (also) that of the exporter (the EU view). In our view, the certification of HR data also includes that of the exporter, and this seems to be the United States’ position as well. So there is probably a misunderstanding here. In the FAQ on the DPF website, the United States clarifies that the Privacy Policy may also be used for HR data “transferred from the European Union and, where applicable, the United Kingdom (and Gibraltar) and/or Switzerland in the context of employment” (see Q7). Of course, the data protection policy and certification must cover the data for the transmission of which the exporter wishes to rely on the DPF.
2. If the recipient is certified, you can proceed on this basis. From a purely legal point of view, no further steps are necessary; the disclosure of personal data to the recipient in the United States is permissible without further ado within the framework of Art. 16 para. 1 FADP. In practice, however, it is recommended that it is agreed in the contract with the recipient that the recipient must maintain the DPF certification or at least inform the exporter if this is no longer the case (and in this case is prepared to regulate the transfer of personal data to the United States differently or to accept that no more personal data can be transferred, with the corresponding consequences).
3. If the recipient is not certified, the disclosure of personal data to him must be secured in another way. In practice, this is usually done on the basis of the EU Standard Contractual Clauses (EU SCCs), which must be supplemented by an addendum for transfers from Switzerland (see our detailed FAQ,in which, however, the adequacy decision is not updated). This is usually possible without any problems because the EU SCCs are accepted worldwide. After all, no such regulation is necessary if one of the exceptions under Art. 17 FADP applies, e.g. if the execution of the contract with or for the data subject requires the transfer. Until now, a so-called Transfer Impact Assessment (TIA) had to be carried out when using the EU SCC in order to check whether there was reason to assume that there would be problematic access by authorities in the United States. This is still legally required, as the transfer is outside the adequacy decision. In fact, however, the exporter of the data can rely on the considerations of the Federal Council and, for the sake of good order, document with this form from us pro forma who wants to do it correctly that he has made a TIA. Once is enough.
4. In practice, the question finally arises as to whether both should be done, i.e. in the case of a recipient who is certified, the EU SCC should still be concluded. We recommend this where the opportunity arises. This is because there are certain uncertainties as to whether and for how long the adequacy decision will be upheld. If it were to be overturned because the Federal Council repeals the decision after a corresponding ECJ decision (“Schrems III”), the EU SCCs would represent at least another basis on which the transfer of personal data could be based to some extent; the transfer would be accompanied by certain uncertainties, as was the case with “Schrems II”, but probably not clearly inadmissible. This is also common practice: both safeguards for the transfer of personal data to the United States are provided for in the contracts. However, it is also clear that as long as the adequacy decision can be used, preference will be given to it, i.e. it will be stipulated in the contract that the transfer of data to the United States will only take place on the basis of certification under the DPF. Legally, it is not necessary to choose between the DP and the EU SCC. However, the EU SCCs have the special feature that they provide for excessive obligations (and moreover cannot be changed), which is reflected, for example, in unlimited liability or in information obligations. For some companies (especially providers) it is therefore quite interesting to agree on the EU SCC, but to “suspend” it until they are needed for the transfer (then there is no need for a TIA until it is used). This is achieved in the contract with a corresponding wording that clarifies that as long as the adequacy decision and certification under the DPF insists, the transfer to the United States will take place solely on this basis and not on that of the EU SCC. Therefore, we recommend explicitly regulating this point (“fallback mechanism”) in the contract, and not simply agreeing on the EU SCC in parallel – unless the strict rules of the EU SCC are desired (which may well be the case on the part of the customer).

Those who have already agreed on the EU SCC basically do not have to do anything, unless the EU SCCs are a thorn in their side for the latter reasons. In this case, it may be worthwhile to adjust the contract – if necessary with the aforementioned fallback mechanism. Even companies that rely on Binding Corporate Rules (BCR) do not have to do anything. There is also usually no need for action if one of the hyperscalers or other online providers is used, with which the contract has been concluded with its branch in the EEA, as is usually the case with Microsoft, AWS and Google, for example: In this case, from a legal point of view, the data first goes to the EEA and the onward transfer from there to the United States takes place under EU law and is therefore already protected under the EU-US DPF, which has already been in force since the summer of 2023 (exceptions may exist where, as in the case of AWS, the provider has provided in its DPA that the Swiss customer must also agree directly with the US parent company on the EU SCC).

We assume that the DPF will be used in traffic with providers, but the DPF will not really be trusted as a long-term hedge – the experience with it is too bad (“Schrems I”, “Schrems II”). In fact, however, the question of data protection compliance in the transfer of personal data to the United States is likely to be off the table for the time being as a long-running topic (as mentioned, except for professional and official secrets), and that’s a good thing. In the EU, too, it has become quiet about the topic since the adequacy decision on the part of the supervisory authorities there. There are more important issues in data protection.

By Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.