With the verdict from July 16, 2020, the Privacy Shield was declared invalid as a means of data transfer to the USA with immediate effect.

For companies in Switzerland, this means that the Switzerland-USA Privacy Shield is expected to be adjusted soon, which means that alternative options for transfer to the USA must be found. The focus here is on the standard contractual clauses (SCC), which, according to the ECJ, now require a detailed examination of the circumstances in the recipient country and an overall assessment of the circumstances. It is no longer sufficient to complete the SCC without clarifying the circumstances of the transfer and examining its impact on the rights and freedoms of data subjects.

The following procedure is therefore recommended as immediate steps:

• Verification of contract processors who use the Privacy Shield (with the Priverion platform Can you simply check this)
• Conclusion of an alternative transfer option, such as standard contractual clauses
• Review of individual cases and documentation of the audit in cases where SCCs are used

Our team is available to make an appointment for detailed advice.

After the Privacy Shield was lifted, a legal grey area was created for data transfer between the EU and the USA. To address this issue, the EU-US Privacy Framework (DPF) program was launched in 2023. This new framework ensures secure data flows for Europeans and provides companies on both sides of the Atlantic with legal certainty.

In addition, the British extension of the EU-U.S. Data Privacy Framework (UK extension to the EU-U.S. DPF) and the Swiss-U.S. Data Protection Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic trade. These frameworks provide US organizations with reliable mechanisms to transfer personal data from the European Union/European Economic Area, the United Kingdom (including Gibraltar) and Switzerland to the United States that are compliant with EU, UK and Swiss data protection laws.

The implementation of these frameworks marks a significant step towards strengthening transatlantic relations and promoting data protection. The US has implemented unprecedented commitments to establish the new framework, which strengthens citizens' confidence in the security of their data while underlining the shared values between the EU and the US.

To benefit from these frameworks, organizations must certify their compliance with the DPF principles to ITA and be placed on the Data Privacy Framework List. Removal from this list means that organizations can no longer claim to belong to the EU-US data protection framework or extensions and receive personal data in accordance with the relevant parts of the DPF program.

‍

‍