The Swiss Parliament passed the revised Federal Act on Data Protection (nFADP) in the fall of 2020. The Swiss Federal Council announced that the law will enter into force on September 1, 2023. As there will be no transition period, the requirements must be met from the first day the law becomes effective.
While we already have provided an overview of the legal innovations of the nFADP , this article gives an insight into international data transfers under Swiss law and draws attention to the extent to which the revision of the law affects Switzerland’s international data transfers.
Data transfers in light of the current and the new data protection law
Under the nFADP, the international transfer of personal data, or cross-border disclosures, are regulated differently than under the FADP. The international transfer of personal data was previously regulated by Art. 6 (1) FADP. In the future, this regulation will be found in Art. 16 (1) nFADP.
According to the old Art. 6 (1) FADP, personal data may not be transferred abroad if this would seriously endanger the privacy of the data subjects, specifically, when an adequate data privacy legislation does not exist in the importing country. The wording has now been positively formulated and states that personal data may be transferred abroad if the Federal Council has determined that the legislation of the destination country ensures adequate protection, Art. 16 (1) nFADP. While previously the Federal Data Protection and Information Commissioner (FDPIC) maintained and published a non-binding list of countries with an adequate level of data protection, the Federal Council now makes a binding decision on adequacy. This list can be found in the annex to the Ordinance to the nFADP. It includes all EU member states, the United Kingdom, to some extent Canada, as well as Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Iceland, Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay.
If data is to be transferred to a country for which the Federal Council has not adopted an adequate level of data protection, personal data may only be transferred in the cases specified in Art. 16 (2) nFADP. One of these cases is the existence of standard contractual clauses (SCCs) that the FDPIC has previously approved, adopted or recognised, Art. 16 (2)(d) nFADP. In its opinion from August 27, 2021, the FDPIC (still based on the old Art. 6 (2)(a) FADP) recognized the use of the EU- standard contractual clauses, provided that the necessary adaptations and modifications for the use under Swiss data protection law are made. For this purpose, the FDPIC has published a guide explaining the necessary Swiss adaptations and amendments. The guide can be found here. These adaptations/amendments concern (i) the competent supervisory authority, (ii) the applicable law for contractual claims under Clause 17, (iii) the place of jurisdiction for actions between the parties under Clause 18 b, (iv) as well as actions by data subjects, (v) adaptations or additions regarding references to the GDPR, which in the Swiss context may be understood as references to Swiss law, and (vi) Switzerland-specific additions (e.g., that the clauses must also protect the data of legal persons, Art. 2 (1) FADP).
Approximations and remaining differences to the GDPR
By recognizing the EU SCCs as an adequate protection measure under Swiss data protection law (provided they have been adapted to Swiss requirements), Switzerland has already taken a GDPR-friendly position. The fact that many changes to the nFADP are inspired by the GDPR also demonstrates this trend, as we reported previously.
However, despite the convergences, there are still some differences between the nFADP and the GDPR. In the following part, we will discuss such convergences and differences, that have implications for international data transfers.
One approximation of the nFADP with the GDPR that will have an impact on international data transfers is in the scope of the new law. Like the GDPR, it now refers only to natural persons (Art. 2 (1) nFADP) and no longer protecting the data of legal persons (Art. 2 (1) FADP). This facilitates the adaptation of the EU-SCCs to Switzerland, as the protection of the legal entities’ data no longer needs to be added.
Another alignment with the GDPR is the geographical scope of the nFADP, which applies to all matters that have an impact in Switzerland, even if they are initiated abroad. For companies this means the marketplace rule, i.e., the law applies to both, companies with a location in Switzerland and companies without a location in Switzerland, provided the company targets the Swiss market. Prior to its revision the Swiss law was only applicable to companies with a registered office in Switzerland. For private controllers with a registered office or domicile abroad this means that they must appoint a representative in Switzerland, if they process personal data of persons in Switzerland and the data processing meets all of requirements mentioned in Art. 14 (1) nFADP.
Among the differences to the GDPR, relevant to international transfers, are the fines under the new Swiss law, Art. 60 et seq. nFADP. Although fines have increased compared to the old law, they are still relatively low (CHF 250.000) compared to the GDPR (EUR 20 million, or 4% of annual global turnover). The big difference is that the fines under the nFADP do not target the company but the responsible person (decision maker/ management).
Data transfer from the EU to Switzerland
Data transfers from the EU to Switzerland will in the near future be re-evaluated most likely. Currently, there is an EU adequacy decision for Switzerland. However, this decision was made in accordance with the previous EU Data Protection Directive 95/46/ES in 1995. A reassessment is to be expected, but with the alignment of Swiss law with the GDPR, it can be assumed that the EU will renew Switzerland’s adequacy status.
Although the changes may seem extensive, the impact of the new Swiss data protection law on international transfers is manageable. Companies that implement the above changes will be well prepared to welcome the revised Federal Act of Data Protection on September 1, 2023.