International
EU directive on data protection
Switzerland is neither a member of the EU nor of the EEA. Accordingly, the EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR) is not directly applicable in Switzerland. Despite Switzerland not being a member of the EU and the EEA, Swiss undertakings may be subject to the GDPR (for example where the processing activities are related to the offering of goods or services to individuals in the EU or EEA or the monitoring of individual’s behaviour in the EU or EEA is concerned) (see news 18.12.2015).
Switzerland is a “third country” from the EU’s perspective. The GDPR requires that data may only be transferred to a third country without further action where the European Commission has decided that the third country ensures an adequate level of protection. The European Commission decided on 26 July 2000 in Commission Decision 2000/518/EC (Official Journal L 215/1 of 25.8.2000) that Swiss law provides adequate protection of personal data and therefore data transfers from Member States to Switzerland are, in principle, permitted under Article 45 GDPR (the decision at that time was made in accordance with the former EU Data Protection Directive 95/46/EC). .
Switzerland’s level of data protection is now being reviewed for the first time in two decades, and for the first time under the GDPR. Originally, a new adequacy decision was expected by 2020. However, due to the latest EU case law on data flows to third countries, but also for political reasons, the decision was delayed. Hence, the EU Commission’s decision on the continued acceptance of the adequacy of Switzerland’s data protection legislation is still pending.
The free flow of data from the EEA is particularly important for countries such as Switzerland, which have very close economic relations with the EEA. Consequently, the revision of the FADP was necessary in order to ensure that Switzerland continues to be recognized as a third country with an adequate level of data protection from the perspective of the GDPR and that the cross-border disclosure of data continues to be possible in a relatively uncomplicated manner. Therefore, with the revision of the FADP, Switzerland has most likely created the necessary conditions for the EU to finally confirm and renew Switzerland’s adequacy status.
European Council (Convention No 108)
Switzerland ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention ETS 108) on 2 October 1997 and its Additional Protocol on 20 December 2007. The Convention entered into force for Switzerland on 1 February 1998 and its Additional Protocol on 1 April 2008. The Convention ETS 108 is the first and, to this day, the only binding international instrument in the field of data protection law. It is part of the case law of the European Court of Human Rights (ECtHR), as it is consulted by the latter when interpreting article 8 of the European Convention on Human Rights (ECHR). This is reflected in Swiss jurisprudence; since Switzerland has incorporated the ECHR into its own law, the ECtHR is considered the highest instance with regard to the protection of human rights. The Convention ETS 108 was recently modernized, with the revised Convention ETS 108+ being adopted by the Committee of Ministers on 18 May 2018 (the final text is available here) and opened for signature on 25 June 2018 (technically the Protocol amending Convention ETS 108). At its meeting of 6 December 2019, the Swiss Federal Council ratified the Protocol. The Federal Council then formally signed the Convention ETS 108+ in November 2020. As soon as the revised FADP is in force and the Federal Assembly adopts the Federal Council Dispatch on the approval of the Protocol of 6 December 2019, Switzerland can ratify the new Convention ETS 108+.
Third countries (e.g. USA and UK)
There is no agreement on mutual recognition of data protection levels between Switzerland and, for instance the USA. Regarding the relationship between Switzerland and the UK, the UK government has the power to make its own adequacy regulations in relation to third countries such as Switzerland. At the moment, such UK adequacy regulations also include the countries covered by European Commission “adequacy decisions” valid as of 31 December 2020 – subsequently also Switzerland. The UK intends to review these adequacy regulations over time.