Skip to content

Nevertheless, according to Robes & Gray LPP1 this does not affect the EU, and therefore Switzerland too, because this new Trump Order must be consistent with the Judicial Redress Act, which extends protection under the Privacy Act of 1974 to the EU (and probably also Switzerland). Thus, according to the EU Commission,2 there is no doubt that the EU-US Privacy Shield is no longer legally valid. The same might be said of the CH-US Privacy Shield, which has yet to be negotiated in detail. However, an opinion from the FDPIC on this issue is currently pending.The CJEU stated therein that the guarantees under Safe Harbour were insufficient to ensure an equivalent level of data protection as the EU regulation. This would not have been of concern to Switzerland unless it had concluded a Swiss-US Safe Harbour Agreement similar to that of the EU-US Safe Harbour Agreement. Accordingly, the Swiss Federal Council took note of this ruling by the CJEU and announced that the Swiss-US Safe Harbour Agreement would be terminated if the EU and the USA were to find an effective solution that was also practicable for Switzerland, which was introduced in the form of the Privacy Shield despite all the criticism. Accordingly, on 11 January 2017, the Federal Council announced that Switzerland was in detailed negotiations on a Swiss-US Safe Harbour.The Swiss-US Privacy Shield4 results in significant improvements for the data subjects in Switzerland affected by data transmission to the United States. As a result, US companies are increasingly bound by the principles of data protection. Compliance will be monitored by US authorities in the future by issuing a certificate with periodic checks. Data subjects can obtain information directly from certified US companies or government agencies about data processing and enforce corrections and deletions. In addition, data subjects can indirectly influence the processing of their data by US security authorities via an ombudsman mechanism. To what extent this can be controlled is rather questionable. Nevertheless, the US authorities ensure that they will act to enforce and evaluate the above tools. Cooperation between the US Department of Commerce (DOC) and the FDPIC is to be intensified. Three months after the finalisation of the Privacy Shield details, interested US companies can initiate the certification process at the DOC. Until then, the FDPIC will not initiate non-compliance proceedings. The DOC will then post a list of all certified companies on its website. As soon as this information becomes available, the FDPIC will publish a link to this list and all relevant documents on its website.With the Privacy Shield, the same standards apply to Swiss exports of personal data to the US as to those from the EU. This is fundamental for legal certainty in trade and in particular for the free exchange of data between Switzerland and the EU, especially in the commercial sector.It affirms, based on the wording of the Swiss-US Privacy Shield, the appropriateness of the data protection level and has modified its list of countries5 (in accordance with Article 7 of the Federal Law on Data Protection (VDSG)) in favour of companies certified under the Swiss-US Privacy Shield. In this context, US companies have to release a separate certificate for Switzerland than for the EU. EU companies should therefore take care that they also have a Swiss-US Privacy Shield Certificate when concluding contracts for their Swiss subsidiaries, and not just an EUUS Privacy Shield Certificate. It is to be hoped that the US government will handle the certification pragmatically, so that there is no barrier to trade for Swiss companies.