Author
Published
5 December 2023
Reading time
On 10 July 2023, the European Commission adopted the agreement in principle on a transatlantic data protection framework reached between the EU and the US in March. This framework agreement became necessary after the European Court of Justice (ECJ) invalidated the previous one. In particular, the judges criticized the extensive access of the US intelligence services to personal data transferred to companies in the US.
The new agreement stipulates that the intelligence services may only access the data if it is necessary and proportionate to protect national security. A new court will ensure data protection and civil liberties standards in the event of complaints from Europeans. These protections also apply to data transfer instruments such as standard contractual clauses and internal company rules. US companies can participate in this data protection framework through a certification process if they comply with data protection obligations, including deletion of unnecessary data and data transfer safeguards.
Data transfers from the EU or EEA, including from Liechtenstein to the US, will become much easier in the future. Companies will no longer have to use standard contractual clauses to legally transfer data to the US, provided that the US company agrees to comply with detailed data protection rules. Companies will now be able to demonstrate compliance through a certification process.
The same organization that won the ECJ ruling has indicated that it will also challenge the new privacy agreement in court. In its view, even the EU Commission's third attempt does not constitute a stable data transfer agreement because “fundamental” surveillance issues have not been sufficiently addressed. A French MEP has already filed a lawsuit on other grounds. The long-awaited legal certainty in data transfers with the US could therefore be short-lived.
In the case of data exchange between Switzerland and the US, the situation is similar to that between the EU and the US. Following the ECJ ruling, the Federal Data Protection and Information Commissioner (FDPIC) removed the US from the list of countries with an adequate level of data protection. Switzerland is currently negotiating its own data protection framework with the US, known as the Swiss-US Data Privacy Framework. Since the entry into force of the new Federal Data Protection Act on 1 September 2023, it has been the responsibility of the Federal Council to assess a country’s adequacy under the Data Protection Act. Despite the agreement between the EU and the US and the possibility of confirmation of an adequate level of protection for certified US companies, the Swiss list of countries with an adequate level of protection will not change until the new framework is available. Personal data may therefore continue to be transferred to the US only with additional safeguards, such as the standard contractual clauses.
Ivica Kuzmic Liechtenstein Bankers Association
Focus
AI has become indispensable in everyday banking. High-quality payment data is critical for personalized experiences and efficient AI applications. Payment enrichment improves data quality and optimizes key processes.
8 July 2026
Experts
Service bureaus have been central players in Swiss payments since the 1990s. They transmit payment orders and ensure data integrity. The SNB has published formal requirements to ensure security and efficiency.
Panorama
Switzerland uses bLink for the secure exchange of data between banks and fintechs. The EU is planning mandatory access to customer data with FiDA. The challenges here are data protection and acceptance. This could influence competition and put Switzerland under pressure.
5 December 2024
PAY NEWSLETTER
Join our community and never miss an update!
Categories