Switzerland’s new data protection law will come into force on September 1st, 2023. This Insight focuses on the provisions on data transfer abroad as well as on the existing case law. Furthermore, the expert opinion on the use of cloud services by the city of Zurich, which Laux Lawyer prepared on its behalf, is also discussed.
Transfer of personal data in the light of the new FADP
In Art. 9 nDSG, the legislator comments on processing by the processor. As an innovation to the still valid FADP (regulated in Art. 10 FADP), Art. 9 para. 3 nDSG states that a processor may only transfer data processing to a third party with the prior consent of the controller. This takes into account the fact that due to the ever-increasing networking and the increasing division of labour in the digital world, data processing by the data processor is being assigned to other sub-processors. In order to prevent data processing from getting out of control, the order processors are obliged to obtain the approval of the data controller when transferring processing to third parties.
The principles of data transfer abroad, previously regulated in Art. 6 FADP, will in future be found in Art. 16 nDSG. The wording has changed in a fundamental way. Previously, it was stated that personal data may not be transferred abroad if this would seriously endanger the personality of the persons concerned. The wording has now been formulated positively. Art. 16 nDSG states that personal data may be transferred abroad if the Federal Council has determined that the legislation in the destination country guarantees adequate protection. If the Federal Council has not made such a decision, personal data may only be transferred to third countries in the cases mentioned in paragraph 2. Appropriate data protection within the meaning of Art. 16 para. 2 nDSG may result, for example, from an international treaty (lit. a) or from standard data protection clauses which the Federal Data Protection and Information Commissioner (FDPIC) has approved, issued or recognised in advance (lit. d). Art. 17 nDSG provides for exceptions in which personal data may be disclosed abroad in deviation from the principles in Art. 16 nDSG.
Case law
In the Schrems II ruling, the European Court of Justice (ECJ) declared the EU-US Privacy Shield invalid (ECJ, C-311/18). The ECJ held that data may only be transferred to third countries if the third country has an adequate level of data protection, whether under an international agreement or under domestic law. In the absence of an adequacy decision, other sufficient guarantees must be in place. So-called Standard Contractual Clauses (SCC) can be a sufficient guarantee, but only on the premise that the data subject has enforceable rights and effective remedies. If this is not the case, the data transfer is only possible with consent after transparent information (cf. Art. 49 GDPR).
In the course of the Schrems II ruling, the FDPIC also came to the conclusion that there is no adequate level of protection for data transfers from Switzerland to the USA. In particular, there is a lack of enforceable legal claims in the USA.
Practice
The EU’s new SCC are dated 4 June 2021 and apply, with the same deadline, in Switzerland as well. However, they cannot be adopted unconditionally, but require adaptation to Swiss law. As already indicated, they allow data to be transferred to a third country that does not have an adequate level of data protection. In practice, they represent one of the simplest and therefore most frequently used means of enabling such data transfers.
In the Laux Lawyer opinion on the issue of cloud use by the City of Zurich, the following questions arose: Is an organisational unit of the City of Zurich allowed to use public cloud services? Does this also apply to information with an increased need for protection? What if the cloud provider is subject to a different legal system? What if people from abroad can access data in the cloud?
According to the expert opinion, cloud services may be used for all information for the fulfilment of tasks.
Criticism of the practice
The new practice is not beyond doubt. For example, the FDPIC criticises the expert opinion of Laux Lawyer regarding cloud use by the city of Zurich, because according to the FDPIC, there is a lack of legal certainty for the use of cloud services by US tech companies, so that disclosure by Swiss authorities cannot be described as unproblematic. The reason why the private experts, according to their report, are of the opposite opinion, however, is explained by the FDPIC with a gullible attitude towards vague information from the US authorities on the part of the experts. The fact that US intelligence agencies can access data from US tech companies is given too little attention by law firms. It is difficult to predict the likelihood of such access to data of a Swiss citizen by a US intelligence agency, but in the opinion of the FDPIC, it is underestimated or kept too small by the experts. According to the FDPIC, public bodies have a special responsibility towards citizens and may not only commission private experts to assess a risk.
The protection of human dignity, the principles of the rule of law, the right to privacy and the data protection derived from it also play a special role here. These principles come into play in relation to defence and benefit claims of a private person against the state, but not in the case of state duties to protect. There are, however, good reasons to include the right to protection of personality and, derived from this, data protection among the defence claims of a private individual against state intervention.