The New Federal Act on Data Protection (nFADP) has stirred discussions about data privacy in Switzerland and its impact on businesses, especially in the age of digitization. To help you navigate through the intricacies of this law, I've compiled a comprehensive guide.
Introduction to nFADP
The nFADP is a Swiss legislation designed to enhance the protection of personal data. It comes at a time when digital transformations are fast-paced, and data privacy has become a pressing concern. The law aims to align Swiss data protection standards with the European Union's General Data Protection Regulation (GDPR).
The EU-U.S Data Privacy Framework and Its Impact
On July 10, 2023, the European Commission established the EU-U.S Data Privacy Framework (DPF), a crucial development for international data transfers.
The DPF serves as a mechanism to ensure proper data protection when private or public entities in the EU and the European Economic Area (EEA) disclose personal data to U.S. corporations that are part of the framework.
The inception of the EU-U.S DPF didn't come easy. It marked the third attempt by EU and U.S. authorities to facilitate transatlantic personal data disclosure. The Court of Justice of the European Union (CJEU) invalidated the previous attempts - the Safe Harbor Framework and the Privacy Shield, hence the birth of the EU-U.S DPF.
The EU-U.S DPF also relies on the U.S. Executive Order 14086 (EO 14086), signed by President Biden on October 7, 2022. This order sets out safeguards for U.S. signals intelligence activities, aligning them with European law principles, including proportionality, oversight, and effective redress for affected data subjects.
Companies under the EU-U.S DPF must adhere to specific privacy principles outlined by the U.S. Department of Commerce. These principles aim to achieve an adequate level of data protection corresponding to the processing of personal data received from data exporters in the EU and the EEA.
The Impact of the EU-U.S DPF on Data Exports to the U.S
With the EU Commission's approval of the DPF, data exporters can transfer personal data from the EU and the EEA to certified U.S. companies under the DPF without additional safeguards. However, companies should assess whether to migrate their data disclosures entirely to the EU-U.S DPF, given its uncertain future.
Swiss Companies and the EU-U.S DPF
Swiss companies can only benefit from the EU-U.S DPF to a limited extent as it doesn't cover data exporters in Switzerland that disclose personal data to certified companies in the U.S. For Swiss data exporters to lawfully disclose personal data to recipients in the U.S, they will need to rely on statutory exemptions or implement alternative safeguards to ensure an adequate level of data protection, such as the EU Standard Contractual Clauses (SCC) or also know as Data Processing Agreements (DPA).
The Proposed Swiss-U.S. Data Privacy Framework
Switzerland is currently in discussions about a "Swiss-U.S. Data Privacy Framework". This framework will address the limitations of the EU-U.S. DPF for Swiss companies. Until its adoption, Swiss companies must remain patient and continue to view the U.S. as a country without adequate data protection laws.
Considerations for Swiss Companies
Swiss companies should continue viewing the U.S. as a country without adequate data protection laws until the Swiss-U.S. Data Privacy Framework is adopted.
However, if a U.S. company is certified under the EU-U.S. DPF, it can be considered an additional layer of protection.
EU-U.S. Data Privacy Framework: Key Points to Know
The Entry into Force of the EU-U.S. DPF
The EU-U.S. DPF is currently in effect. The adequacy decision related to the framework entered into force immediately upon its adoption on July 10, 2023.
What's New with the EU-U.S. DPF?
The EU-U.S DPF introduces several rights for data subjects, including access to their data, correction or deletion of incorrect or unlawfully handled data. It establishes a set of redress avenues in case personal data is processed against the EU-U.S. DPF principles, including a free independent dispute resolution mechanism and an arbitration panel.
How to Check if a U.S. Company is Certified Under the EU-U.S. DPF
The U.S. Department of Commerce will maintain a list of U.S. companies that have self-certified and declared their commitment to adhere to the principles of the EU-U.S. DPF. This listing will help data exporters verify the certification of a U.S. company.
Consequences of Removal from the Data Privacy Framework List
If a company is removed from the Data Privacy Framework List, it will no longer benefit from the EU Commission's adequacy decision regarding the EU-U.S. DPF. Consequently, European data exporters cannot transfer personal data to these U.S. companies without additional safeguards, such as a special DPA, that guarantee adequate protection under the GDPR.
Conclusion
The world of data protection is continually evolving. With the introduction of the nFADP and the EU-U.S. DPF, Swiss companies have to navigate a complex landscape. As they anticipate the Swiss-U.S. Data Privacy Framework, companies must stay informed and adapt to these changes for a smoother transition.
Let us remember that the ultimate goal is to ensure that personal data is handled with the utmost care, respecting privacy and fostering trust in this digital age.
