Swiss-US Data Privacy Framework – Swiss adequacy decision for US certified data recipients

In summary, this development will:

• allow the transfer of personal data to US companies certified under the DPF without further measures such as agreeing on EU Standard Contractual Clauses (EU SCC) and performing a transfer impact assessment (TIA), and 
• simplify the risk assessment and increase the legal certainty for transfers of personal data to the US outside the DPF. 

The adequacy recognition creates a level playing field between Swiss and EU private individuals and businesses, since the EU and USA agreed on the EU-US Data Privacy Framework in July 2023.

What has changed?

Mutual adequacy recognition and EO 14086

The reason it took Switzerland more than a year to catch-up with the EU-US Data Privacy Framework, is because the adequacy decisions required both:

• an assessment from the Swiss perspective – completed by the Federal Office of Justice on 30 April 2024 (available here), and 
• an assessment and recognition by the US – completed earlier this year on 7 June 2024 (available here) by the US Attorney General, which designated Switzerland as a qualifying state for purposes of implementing certain mechanisms under US Executive Order 14086 (EO 14086), conditional on Switzerland recognising the adequacy of data transfer to US certified companies under the DPF.

As a reminder, EO 14086, introduced on 7 October 2022, brought a number of changes to the US legal system relevant for the Swiss adequacy assessment, including the introduction of limitations of US intelligence services activities (proportionality), increased oversight of US intelligence services, and the establishment of a redress mechanism. 

When will the DPF enter into force?

The DPF will enter into force with the amendment to the Data Protection Ordinance (DPO) on 15 September 2024.

Why does this matter?

The DPF will facilitate transfer of personal data to, and access to personal data from, the US. Once effective, certified US companies will be able to receive or access personal data without the requirement to enter into EU SCC or perform a TIA (Article 16 (1) Data Protection Act (DPA)). The list of certified US companies under the DPF is available here, and specifies (a) whether the US company is certified under the DPF (in addition to the EU-US Data Protection Framework and the UK Extension thereto), as well as the types of data for which the certification applies (i.e., HR and/or non-HR data).

However, even for transfers of personal data which will continue to rely on EU SCC, this development will facilitate disclosure and completion of the TIA, due to the fact that the designation of Switzerland under EU 14086 and the limitations imposed on US intelligence activities apply irrespective of whether personal data is disclosed under the DPF or based on a different mechanism. 

What of the US CLOUD Act?

The adequacy decision by the Swiss Federal Council is welcome in the sense that it – at least implicitly – clarifies that, as a matter of principle, the US CLOUD Act is not per se contrary to Swiss public policy and does not, in and of itself, prevent the private sector from using third party service providers (e.g., cloud service providers, SaaS solutions, etc.) who are affiliates of US groups subject to the US CLOUD Act.

Apart from that, this development does not change anything with regards to requirements applicable when data subject to professional or official secrecy is involved.

In particular, the adoption of the DPF and adequacy decision by the Swiss Federal Council does not change the need to perform – in certain situations – a risk assessment in relation to the likelihood of lawful access by foreign authorities (Foreign Lawful Access (FLA)) to any data (and not only personal data) subject to a professional or official secrecy obligation. Of note, the assessment of the likelihood of a FLA and analysis of whether this conflicts with a professional or official secrecy obligation is not limited to the US CLOUD Act, but has to cover all other relevant legislation, be it US (e.g., Foreign Intelligence Surveillance Act (FISA)) or the corresponding foreign legislation in all relevant jurisdictions to which data subject to professional or official secrecy is transferred or from which such data is accessible.

Exceptions to the above remain situations where the disclosure of data subject to professional or official secrecy is permitted by and based on (a) applicable law, (b) contract and/or (c) a valid suitable waiver.

Do you (still) need a data transfer agreement and EU SCC?

In a nutshell, as from 15 September 2024 it will no longer legally be a requirement – under the Swiss DPA – to put in place EU SCC with a certified US data recipient, assuming that it was necessary to rely on the latter prior to the DPF to allow for the transfer to proceed. In practice, however, it remains recommended to put a contractual framework in place, even with certified US data recipients, to cover the following aspects:

• obligation of the US data recipient to maintain certification under the DPF and comply with the obligations and principles under the DPF;
• notify the Swiss data provider immediately in case the US data recipient ceases to be on the DPF list, for any reason; and
• a contractual mechanism for handling and resolving consequences of the removal of the US data recipient from the DPF list and/or of the DPF becoming invalidated at some point in time.

In this context, to the extent possible, Swiss data exporters should consider wherever possible to agree with the US data recipient on the EU SCC, perform a TIA and then agree to suspend the SCC for as long as the DPF is in place and allows to justify personal data transfers.

In view of the above, for personal data transfers which are already documented with proper data transfer agreements and EU SCC or binding corporate rules (BCR), no action is required. Parties may wish to review and update the wording of the relevant contractual framework in due course, upon the next review and update of the relevant documentation (e.g., for example for intra-group data sharing framework for multi-national groups).

Future developments

Although the DPF is intended to be a long-term solution, the framework remains susceptible to judicial review and challenge in particular in the EU, and it cannot be excluded that it will end similarly to what happened to the EU-US Safe Harbor Framework, the EU-US Privacy Shield (i.e., "Schrems II") and the corresponding mirror effect on the Swiss-US arrangements.

In any event, the Swiss Federal Council adequacy decision will have to be regularly reviewed and take into account the evolving legal landscape and judicial decisions which may affect the assessment. The first review is expected to take place in one year.

Useful documents and links

• Swiss-US DPF;
• List of certified companies under the DPF;
• Swiss adequacy assessment by the Federal Office of Justice;
• US adequacy assessment by the US Attorney General;
• Swiss Data Protection Act;
• Swiss Data Protection Ordinance.