DISCLOSURE OF PERSONAL DATA

3.10

Cross-border disclosure of personal data

If data from Switzerland are being disclosed to other countries, there are a few special provisions to take into account.

Data processing in Switzerland and most European countries is subject to clear, and by global standards strict, data protection regulations. If personal data from Switzerland are being disclosed to countries which do not have a corresponding level of data protection, this raises the risk that these data could be used in a manner not permitted under the Swiss or European data protection laws. There is thus a risk that the data subjects’ fundamental rights could be violated.

For this reason, § 23 of the Information and Data Protection Act (IDG) stipulates that personal data may only be disclosed to those countries which have signed up to the Council of Europe Convention 108, soon to be 108+; in other words, countries which thus guarantee a level of protection for the fundamental rights of the data subjects comparable to that of Swiss data protection legislation. Personal data may only be disclosed to other countries if their legislation likewise assures an adequate level of protection or if appropriate protection is guaranteed through contractual agreements between the public body providing the data and the recipients. The states which guarantee an adequate level of protection through legislation are named in a [list] (https://www.fedlex.admin.ch/eli/cc/2022/568/en#annex_1) compiled by the Federal Data Protection and Information Commissioner (or in future the Federal Council).

When transferring data abroad, a distinction needs to be made between a handover of personal data from the responsible body to a contracted data processor (§ 7 IDG) on the one hand, and disclosures of data to a recipient to process on its own authority on the other. § 23 IDG applies in the second case; that is, disclosure of personal data to a recipient which they are then allowed to process for a purpose of their own and under their own responsibility. The first case, contracted data processing, does not constitute a disclosure for the purposes of the IDG and thus, in principle, § 23 IDG does not apply. This is because the contracted data processor is permitted to process the data for the purpose specified by the contracting public body – and this body remains accountable to the data subjects, including for what the contracted data processor does, and what it should do but does not. That means the data subjects are no worse off than they would be if the data were being processed in Switzerland. In cases where data are handed over to a contracted data processor in another country, although this means that the data are processed in a country which may have less strict legislation, they are nevertheless still being processed only in accordance with the level of data protection applying to data processing by the disclosing public body. Even if § 23 IDG is not directly applicable to transfers to a contracted data processor abroad, the risks of transferring data abroad need to be assessed. Risk assessments in line with the criteria of § 23 IDG are helpful in this regard and with appropriate protective measures, for example data encryption, risks can be avoided or reduced to an acceptable level.


Disclosure of personal data to the USA

For disclosure of personal data to the USA, previously there were two agreements in place between the EU Commission and the USA, and Switzerland and the USA respectively: the so-called “Safe Harbor” agreement and the “Privacy Shield” framework. However, the Court of Justice of the European Union (CJEU) has ascertained that, despite all efforts, neither of the two agreements create an appropriate level of data protection from the perspective of the EU. Although the CJEU judgements are not binding on Switzerland, it has made congruent agreements with the USA and, in turn, needs to demonstrate to the EU that it has an appropriate level of data protection. As a result, in practice these judgements (“Schrems-I and II”) absolutely do have an impact on the permissibility of data transfers from Switzerland to the USA. In this regard, future developments in regulation and case law will need to be kept under review.