We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 August 2020
On 16 July 2020 the European Court of Justice (ECJ) declared that the European Commission's decision of 12 July 2016, which had found that the United States ensured an adequate level of protection of personal data transferred under the EU-US Privacy Shield Framework, was invalid (Judgment C-311/18).
Under the EU General Data Protection Regulation (GDPR), data controllers and data processors may transfer personal data outside the European Union only in certain limited circumstances. In particular, the transfer of personal data to countries that the European Commission deems not to provide an adequate level of data protection requires (in most cases) specific safeguards. On the other hand, where the European Commission decides that the destination country offers an adequate level of data protection, there is no mandatory requirement for specific safeguards.
In this respect, the European Commission considered that personal data transfers from the European Union to the United States benefitted from an adequate level of protection, provided that the US-based data recipient was certified under the EU-US Privacy Shield Framework. Prior to its invalidation, this framework allowed US-based entities to certify under the EU-US Privacy Shield Framework, thereby offering an equivalent level of data protection to that afforded under the GDPR.
This article examines the effect that the ECJ's decision will have on the Swiss-US Privacy Shield Framework.
In Judgment C-311/18, the ECJ found that the protection of personal data under the EU-US Privacy Shield Framework does not meet the standards required under EU law. This was primarily the result of the ECJ's findings that EU residents (non-US nationals) have insufficient legal remedies in cases where US authorities access under US national security programmes personal data pertaining to EU residents processed by US recipients certified under the EU-US Privacy Shield Framework.
On the other hand, the ECJ ruled that so-called 'standard contractual causes' (SCCs), which are safeguards under the GDPR for personal data transfers to jurisdictions that do not offer an adequate level of data protection, remain valid. However, and more importantly, the ECJ considered that data exporting parties would be responsible for verifying beforehand whether:
This means that while SCCs provide a viable alternative to continue data transfers, they are not necessarily sufficient and require a case-by-case assessment; they may even require additional contractual guarantees in order to offer sufficient data protection.
The situation in Switzerland is uncertain at the time of writing. The Swiss-US Privacy Shield Framework remains formally valid and in effect. However, the Federal Data Protection and Information Commissioner (FDPIC) is reviewing the situation in light of the ECJ's judgment and it is likely that the Swiss-US Privacy Shield Framework will also fall in the near future. Swiss businesses are therefore strongly advised to identify any categories of personal data which they transfer from Switzerland to US-based entities that rely solely on such US-based entities' Swiss-US Privacy Shield Framework certification.
For such transfers, specific safeguards such as the SCCs (the EU's SCCs, possibly adapted to Swiss law) must be implemented, unless an exception applies. That said, in light of the ECJ's decision, Swiss businesses switching to SCCs or already using SCCs for transfers of personal data to jurisdictions not offering an adequate level of data protection for the personal data being transferred should in any case reassess the use of the SCCs and, if necessary, supplement them with additional contractual guarantees. Moreover, businesses should closely monitor new developments, in particular the outcome of the FDPIC's assessment.
For further information on this topic please contact Jürg Schneider or Lena Götzinger at Walder Wyss by telephone (+41 58 658 58 58) or email (firstname.lastname@example.org or email@example.com). The Walder Wyss website can be accessed at www.walderwyss.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.