Privacy Shield: preventive measures for transferring data to the United States of America

After the European Court of Justice (ECJ) declared the EU-US Data Protection Agreement “Privacy Shield” invalid in July 2020, the Federal Data and Information Protection Commissioner (FDPIC) followed in the fall: it found that the United States was not providing an adequate level of Protection for Swiss personal data is also reported (Computerworld reported). According to him, the standard contractual terms are also insufficient.

• The convention is under Swiss law and the place of Swiss jurisdiction
• Encryption, with the key retained by the public authority (Hold your private key)
• Alias ​​for personal data
• Use of a hybrid cloud, i.e. a combination of a local and a public cloud, especially for data that is subject to special confidentiality obligations (medical data, tax data, data from the social care area)
• Storing all data in Europe, i.e. not transferring it to countries with an insufficient level of data protection. If, according to the data protection official, this requirement cannot be met, there must be full transparency of the transferred data
• Contractual agreement that access from countries with an insufficient level of data protection is possible only with the approval of the public authority
• Expanding contractual provisions or standard contractual clauses

The statement concludes that the Zurich data protection official, Blonsky, wants to provide additional information about the matter as soon as new information becomes available or the legal situation changes.