Skip to content

In response to our enquiry, the Federal Department of Justice and Police stated that the negotiations with the USA are at an advanced stage but have not yet been concluded. It is not yet possible to say when a conclusion can be expected.

We have summarised for you here what has happened so far and what this means for you as a company.

The new Swiss Data Protection Act (DSG, SR 235.1) and the corresponding Federal Council Ordinance (DSV, 235.11) have been in force since 1 September 2023.

Under the new DPA, the Federal Council, and no longer the FDPIC as before, is responsible for adequacy decisions regarding data protection in another third country. Those countries that have an adequate level of data protection are listed in Annex 1 of the DPA and are no longer considered unsafe third countries from a data protection perspective.

Following the ruling of the ECJ in the “Schrems II” case (Case C 311/18) on 16 July 2020 and the associated failure of the Privacy Shield Agreement with the USA, Switzerland has entered into new negotiations with the EU in order to reach a data protection-compliant agreement with the USA. In order to continue to ensure a secure data flow with the USA, the EU published newStandard Contractual Clauses (SCCs) in 2021. These have a modular structure and can be compiled in our SCC Generator. As a result of the Schrems II case law, companies are obliged to carry out a so-called Transfer Impact Assessment (TIA) for third country transfers in addition to the Data Protection Impact Assessment (DFA) prior to the conclusion of the contract. Based on this TIA, a risk assessment must be carried out to determine whether there are sufficient procedural safeguards for the data subject that meet the standard of the EU Charter or, in Switzerland, the Swiss Federal Constitution (BV, SR 101) and the European Convention on Human Rights (ECHR, SR 0.101).

The new “Data Privacy Framework” (DPF) is now intended to ensure the secure flow of data between the USA and Europe. In connection with the conclusion of this framework agreement, the USA is also to be included in Annex 1 by Federal Council resolution as a country with an adequate level of data protection under certain conditions. These conditions essentially relate to the participation of the US companies concerned in this framework agreement. Since 1 September 2023, Swiss companies have therefore been eagerly awaiting the Federal Council’s decision in order to eliminate this legal and thus compliance uncertainty.

In response to our enquiry, the Federal Department of Justice and Police stated that the negotiations with the USA are at an advanced stage but have not yet been finalised. It is not yet possible to say when a conclusion can be expected.

Annex 1 of the DPA therefore remains unchanged for the time being. From a data protection perspective, the USA must continue to be treated as an unsafe third country.

What does this mean for you as a company?

Although the negotiations are expected to be finalised soon and the DPF will be introduced this year, the legal reality remains unchanged. Both the conclusion of SCCs and the data protection impact assessment with a transfer impact assessment (template can be found in our shop here) must still be carried out under the current law of the DPA. Failure to comply with these requirements until the DPF has been completed harbours the risk of not fulfilling the (still) applicable legal requirements in the event of an incident.

The consequences of this can include a fine of up to CHF 250,000 for you as the responsible private individual in accordance with Art. 61 FADP. We therefore recommend that you continue to fulfil the existing compliance requirements and carry out a data protection impact assessment and a transfer impact assessment for data transfers to the USA.