By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Legal News International
Ueli Sommer and Cedric Bamert
/
August 29, 2024

USA newly with adequate level of data protection

The USA will be added to the list of countries with an adequate level of data protection. This was decided by the Swiss Federal Council at its meeting on August 14, 2024.

New data protection legislation has been in force in Switzerland since September 1, 2023. It stipulates that personal data may only be transferred abroad without additional guarantees if the recipient country can offer an adequate level of data protection. If it meets this requirement, it will be placed on a binding list by the Swiss Federal Council, which will be published in Annex 1 of the Data Protection Ordinance. In its meeting, the Swiss Federal Council has now come to the conclusion that the USA will also be placed on this list, as the new data protection framework between Switzerland and the USA (Swiss-U.S. Data Privacy Framework) enables the secure exchange of personal data when certified US companies are involved. This is ensured in particular by a new US data protection court. As a result, personal data can now be transferred to certified companies in the USA without additional guarantees. The changes to the Data Protection Regulation will apply from September 15, 2024.

Data may only be passed on to certified companies. These companies may only process the data for the purposes for which it was collected. An American company must register with the US Department of Commerce for the necessary certification and undertake to comply with the data protection principles set out in the Privacy Shield, such as principles for the protection of privacy. The certification is renewed once a year. Before a Swiss company transfers personal data to the USA, they should check whether the company in question is certified. To do this, Swiss companies can consult the Privacy Shield List, which lists all certified companies. If a US company is not certified, the transfer of personal data requires other sufficient guarantees (e.g. EU standard contractual clauses or binding corporate rules). Certification for US companies and the restriction on processing ensures that the envisaged data protection measures and data protection guarantees are complied with.

There are various legal bases in the USA on the basis of which authorities can access personal data, whether for the purposes of criminal prosecution or national security. For example, federal prosecutors and criminal investigators can access personal data processed by certified organizations for law enforcement purposes. This happens regardless of the nationality or place of residence of the person concerned. Various safeguards, such as a complaints mechanism, are available to prevent arbitrariness on the part of the US authorities and vulnerability of the person concerned. Independent, impartial courts also play an important role when it comes to having the legality of government access to personal data reviewed and, in the event of a violation, remedied by correcting or deleting personal data.

To prevent a complaint being lodged with a court in the first place, the new data protection framework guarantees that key data protection principles of Swiss law are complied with, such as Art. 6 FADP. For example, the principle of processing personal data lawfully and proportionately must be observed. Data may only be obtained for a specific purpose and the data may then only be used in a way that is compatible with this purpose. The data subjects must be informed about the essential characteristics of the processing of personal data, such as the purpose of the processing or which legal remedies are available (transparency). Data subjects have a right of access, the right to object to processing or the right to rectification and erasure of data vis-à-vis controllers and processors who play an important role in the transfer of personal data from Switzerland to the USA. This right of access can only be restricted in exceptional cases and the reason for the restriction must be comparable to the reasons provided for under Swiss law.

The Data Protection Review Court, hereinafter referred to as the DPRC, is of particular importance in the area of data protection review. If the privacy or civil liberties of a data subject are impaired, they can file a complaint due to an alleged violation of US law. Since June 7, 2024, persons from Switzerland have also had this right to lodge a complaint. The complaint does not have to prove that personal data was actually obtained from intelligence services. The complaint is first forwarded by the FDPIC to the CLP Commissioner (Privacy and Civil Liberties Officer). Its decision can then be appealed to the DPRC. The DPRC is an independent judicial body consisting of at least 6 judges. An appeal to the court is examined by at least 3 members of the court. They are assisted by a specialist lawyer who ensures that the interests of the complainant are represented. If the court's written decision shows that applicable regulations have been violated, it will determine appropriate remedial measures, such as the deletion of unlawfully collected data or the restriction of access to collected data. The court's decision is binding and final.

With regard to the Swiss-U.S. Data Privacy Framework, it is of particular importance that a legal framework is in place when personal data is transferred to certified companies, which also applies to access to this data by law enforcement authorities or U.S. national security agencies. The legal framework describes the conditions under which personal data transferred from Switzerland to US companies can be passed on and ensures that the further use of the data is limited to what is in the public interest, necessary and proportionate.

The Swiss Federal Council has therefore decided, on the basis of investigations by the Swiss Federal Office of Justice, that the USA provides an adequate level of protection for personal data.

About the authors:

Ueli Sommer is Managing Partner of Littler Switzerland.

You can reach him at +41 44 219 60 61 or ueli.sommer@littler.ch.

Cédric Bamert is a Junior Associate at Littler Switzerland.

You can reach him at +41 44 219 60 62 or cedric.bamert@littler.ch.