- Swiss-US Data Privacy Framework certification is generally recognized as an adequate level of data protection for the Confederation, cantons and communes, but the legal responsibility of the authorities remains.
- Before transferring to US organizations: Verify certificate status, note revocation options and agree binding exit scenarios and standard contractual clauses.
privatim, the Conference of Swiss Data Protection Commissioners, has published recommendations on “Transfer of personal data to organizations in the USA on the basis of the Swiss-US Data Privacy Framework” published (PDF).
The recommendations begin by stating that certified organizations must “maintain an appropriate level oflevel of data protection”. This applies to the Confederation in accordance with Art. 16 para. 1 FADP and Art. 8 para. 1 DPA. The cantons often refer to the adequacy decisions of the Federal Council (e.g. Basel-Stadt: § 23 para. 1 lit. a IDG and § 11 para. 1 IDV; Zurich: § 19 lit. a IDG and § 22 para. 1 IDV).
Accordingly, a Certification according to the CH-US DPF (DPF) as a rule also according to the cantonal data protection laws as sufficient:
For public bodies of the cantons and municipalities, the certification [of adequate data protection for certified companies according to the Swiss‑U.S. DPF ] is not always directly legally binding, is generally considered to be a sufficient basis for the recognition of an adequate level of data protection for disclosures and as a possible criterion for the data protection impact assessment for cross-border outsourcing of data processing. However, public bodies of cantons and municipalities remain legally responsible for the corresponding risk assessment in individual cases.
However, it is undisputed that the DPF stands on feet of clay, in particular due to the weakening of the US PCLOB (Privacy and Civil Liberties Oversight Board) and the review of the appropriateness of the EU-US DPF pending before the European Court of Justice (Latombe v Commission, Rs. T‑553/23).
privatim therefore gives three recommendations for the Outsourcing of data to certified organizations:
- Verify: At the time of a planned transfer of personal data to a private organization in the USA, the legal situation in the area of Swiss-US DPF (https://www.dataprivacyframework.gov/list);
- Quality certificate: It should be noted that the revocation or non-renewal of thecertificate can be revoked by the data recipient at any time;
- Exit scenario: If the processing of personal data is outsourced to a Swiss‑U.S. DPF-certified organization, exit scenarios must be planned.nesses.
These recommendations are certainly correct, and they are in line with what private companies are also advised to do when exporting to the USA. It makes sense, for example, to Agreement of the standard contractual clauses with the US importer (with the adjustments to Switzerland that the FDPIC has requested), with direct application or with application on condition that the DPF should no longer be effective for export to the importer.