Take-Aways (AI)
- As of September 15, 2024, the Federal Council will add the USA to the list of countries with an adequate level of data protection, provided that recipients are certified under the CH‑U.S. Data Privacy Framework.
- Permitted data transfers to certified US recipients do not require standard contractual clauses (SCC) and generally no transfer impact assessment (TIA).
- Exporters are recommended to contractually ensure the maintenance of certification and to clearly define the basis (DPF or SCC).
At its meeting on August 14, 2024, the Federal Council finally decided to add the USA to the list of countries with an adequate level of data protection in accordance with Annex 1 of the GDPR, provided that the respective recipient is listed in accordance with the CH‑U.S. Data Privacy Framework is certified. The amendment will enter into force on September 15, 2024 (see the Media release to this).
This has the following effects in particular:
- Various importers such as Microsoft, Google, Amazon and Salesforce have already certified themselves in accordance with the CH‑U.S. Data Privacy Framework. As soon as the amendment to the GDPR is in force, an exporter whose exports are subject to the DPA can invoke the CH‑U.S. DPF.
- Transfers within this framework are permitted without the Standard Contractual Clauses (SCC) having to be concluded.
- Intra-group transfers can also rely on the CH‑U.S. DPF, provided the U.S. recipient is certified (and can deal with the relevant obligations and requirements, including the requirements for onward transfers within the group).
- No Transfer Impact Assessment (TIA) is required if a transfer is based on the (CH or EU‑U.S.) DPF.
- If an exporter relies on the certification of an importer, he should have the maintenance of the certification contractually guaranteed.
- There is nothing to be said against basing a transfer on the SCC in addition to the (CH or EU‑U.S.) DPF; on the contrary, many companies will proceed in this way. In this case, a TIA can be dispensed with if the SCCs are only a safety net (one can argue that a TIA remains necessary, strictly speaking, because it is probably also an independent contractual obligation under the SCCs). In Switzerland at least, the FDPIC will not require a TIA if the CH‑U.S. DPF is a basis for the transfer. If a TIA is still carried out, it may also be simpler because the EU adequacy decision for the EU‑U.S. DPF already covers part of the relevant U.S. law – this also applies if a transfer is not covered by the DPF. However, exporters should consider whether the primary basis is the (Swiss or EU‑U.S.) DPF or the SCC. Although there is no clear obligation to make and document this decision, the consequences are not the same. For example, the requirements under the SCC and the DPF differ in terms of the information provided to the persons concerned.
- In the case of a transfer from Switzerland to a country with an adequate level of data protection and an onward transfer from there to a US recipient certified under the EU-US DPF, the EU-US DPF covers the onward transfer. The DPA does not apply to this case of onward transfer (because, unlike the GDPR, it does not “infect” the entire chain), nor does the US importer also have to be certified under the CH-US DPF for this case.