With the verdict from July 16, 2020, the Privacy Shield was declared invalid as a means of data transfer to the USA with immediate effect.

For companies in Switzerland, this means that the Switzerland-USA Privacy Shield is expected to be amended soon, requiring alternative options for data transfer to the USA. The focus is now on the Standard Contractual Clauses (SCC), which, according to the ECJ, require a detailed examination of the circumstances in the recipient country and an overall assessment of the situation. It is no longer sufficient to simply conclude SCCs without clarifying the conditions of the transfer and assessing its impact on the rights and freedoms of data subjects.

The following procedure is therefore recommended as immediate steps:

• Verification of contract processors who use the Privacy Shield (with the Priverion platform, you can easily check this)
• Conclusion of an alternative transfer option, such as standard contractual clauses
• Review of individual cases and documentation of the audit in cases where SCCs are used

Our team is available to schedule an appointment for detailed consultation.

After the Privacy Shield was lifted, a legal grey area was created for data transfer between the EU and the USA. To address this issue, in 2023, the EU-US Privacy Framework (DPF) program introduced. This new framework ensures secure data flows for Europeans and provides companies on both sides of the Atlantic with legal certainty.

In addition, the UK extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic trade. These frameworks provide US organizations with reliable mechanisms to transfer personal data from the European Union (EU)/European Economic Area (EEA), the United Kingdom (including Gibraltar), and Switzerland to the United States in compliance with EU, UK, and Swiss data protection laws.

The implementation of these frameworks marks a significant step towards strengthening transatlantic relations and promoting data protection. The US has implemented unprecedented commitments to establish the new framework, which strengthens citizens' confidence in the security of their data while underlining the shared values between the EU and the US.

To benefit from these frameworks, organizations must certify their compliance with the DPF principles to the U.S. Department of Commerce’s International Trade Administration (ITA) and be placed on the Data Privacy Framework List. Removal from this list means that organizations can no longer claim to be part of the EU-US Data Privacy Framework or its extensions and cannot receive personal data under the relevant parts of the DPF program.