The EU has coughed, and Switzerland has caught a cold. In July, the European Court of Justice (EJ) ruled in ‘Data Protection Commissioner v Facebook Ireland and Max Schrems’ – or ‘Schrems II’ – that US data collection policies are not compatible with EU citizens’ rights under the General Data Protection Regulation (GDPR). This invalidated the EU-US Privacy Shield that had governed data transfers between the EU and US.

Now, the Swiss Federal Data Protection and Information Commissioner (FDPIC) has followed in the ECJ’s footsteps, ruling that the US should not feature on the list of third countries with ‘adequate’ protections in place for Swiss citizens’ data. The FDPIC now regards US protections as ‘insufficient’. Accordingly, the Swiss-US Privacy Shield (designed to mirror the EU-US agreement) has effectively been invalidated in all but name.

This development poses inevitable questions for organisations in Switzerland regarding privacy and its status as a core operational capability. Companies should now look to, at the least, carry out an audit of their data transfer protocols. In worst-case scenarios, organisations may have to drastically change the way they handle data, potentially even pausing certain high risk data transfers while assessing the best route forward. There is a lot at stake if this process is not handled properly.

Click here to read the article.