October 3, 2023

Privacy Shield: preventive measures for transferring data to the United States of America

Privacy Shield: preventive measures for transferring data to the United States of America

Due to the European Court of Justice ruling on the “Privacy Shield”, Swiss companies and administrative offices must protect themselves as well. Zurich’s Data Protection Officer Dominica Blonsky shows possible measures.

After the European Court of Justice (ECJ) declared the EU-US Data Protection Agreement “Privacy Shield” invalid in July 2020, the Federal Data and Information Protection Commissioner (FDPIC) followed in the fall: it found that the United States was not providing an adequate level of Protection for Swiss personal data is also reported (Computerworld reported). According to him, the standard contractual terms are also insufficient.

Domestic companies that transfer data to a data center or subsidiary in the US must contractually insure themselves. According to Zurich’s data protection officer, Dominica Blonsky, this also applies to public bodies in the Canton of Zurich. When using cloud services that involve transferring personal data to the United States of America, these services will now need to “ensure adequate protection through a combination of technical legal and regulatory measures” – even if standard contractual clauses are used. She wrote in a statement that various bodies are currently working on finding appropriate solutions.

To protect personal data when exporting to the USA, Blonsky calls possible measures such as:

  • The convention is under Swiss law and the place of Swiss jurisdiction
  • Encryption, with the key retained by the public authority (Hold your private key)
  • Alias ​​for personal data
  • Use of a hybrid cloud, i.e. a combination of a local and a public cloud, especially for data that is subject to special confidentiality obligations (medical data, tax data, data from the social care area)
  • Storing all data in Europe, i.e. not transferring it to countries with an insufficient level of data protection. If, according to the data protection official, this requirement cannot be met, there must be full transparency of the transferred data
  • Contractual agreement that access from countries with an insufficient level of data protection is possible only with the approval of the public authority
  • Expanding contractual provisions or standard contractual clauses
See also  Barack Obama's dog "Boo" died.

The statement concludes that the Zurich data protection official, Blonsky, wants to provide additional information about the matter as soon as new information becomes available or the legal situation changes.