Transferring data from Switzerland for eDiscovery purposes in a post-Schrems II world

Michael Simon

Introduction: another one bites the dust

On September 8, 2020, Adrian Lobsiger, the Swiss Federal Data Protection and Information Commissioner (FDPIC), announced in a position paper that he no longer considers the Swiss US Privacy Shield agreement to be adequate for the purposes of lawfully transferring personal data from Switzerland to the US. Lobsiger’s determination came as part of his annual report on the Swiss US Privacy Shield, saying that he had taken into account the July 16 2020 “Schrems II” decision of the Court of Justice of the European Union (“CJEU”) and come to the conclusion that the Swiss US Privacy Shield did not offer an adequate level of data protection as required by Swiss data protection law.

With this decision, US litigants and the eDiscovery vendors lost yet another near-seamless international data transfer mechanism. Now, because of Switzerland’s powerful and effective “blocking statutes” against discovery from the US, transfer of data from Switzerland may present even more challenges than those caused by Schrems II for data from the EU.

Wait? There’s a Swiss Privacy Shield? I thought that Switzerland was a part of the EU?

Contrary to what many believe, Switzerland is not a member of the EU. It is not a member of the European Economic Area (EEA) either, which includes all EU member states plus Norway, Iceland, and Lichtenstein – and to which the EU General Data Privacy Regulation (GDPR) applies. However, Switzerland is a part of the European Free Trade Area (EFTA), which effectively creates a single trade market. In 2000, Switzerland became the first country to receive an “adequacy decision” from the EU, indicating that Switzerland’s data protection laws are the equivalent of EU protections and thus allowing free transfer of data from the EU. If all of this seems hard to remember, don’t worry, there will not be a quiz on this later!

What you do need to remember if you are trying to get eDiscovery data from Switzerland is that it has its own privacy law, the Swiss Federal Act on Data Protection (FADP). Like the GDPR, the FADP, in article 6, paragraph 2, permits cross-border transfer of personal data only if adequate data protection can be ensured. While the FADP lacks the GDPR’s terrifying fines of up to 4% of annual worldwide revenues, it still has a nothing-to-sneeze-at penalty of up to CHF 250,000 (roughly $275,000 at the current exchange rate). Perhaps most importantly for those who make or manage eDiscovery requests, the FADP includes personal criminal penalties with potential jail time of up to twenty years!

The FADP has been under a lengthy process of complete revision to further align it with the GDPR. It is worth noting that there are some in Switzerland who feared that they would lose their EU adequacy status during the revision process. Thus, while the FDPIC was not bound by Schrems II, there was good reason for it to follow the CJEU’s decision and so avoid creating any further concerns.

Just like the EU-US Privacy Shield, the Swiss-US Privacy Shield is dead, and the SCCs are on life support

As the position paper makes clear, the FDPIC doesn’t actually have the authority to invalidate the Swiss US Privacy Shield in the way that the CJEU did to the US-EU version in Schrems II. Instead, Lobsiger states:

“Data processors who are on the list of the US Department of Commerce and sign up to the Privacy Shield regime between the US and Switzerland in relation to personal data obtained in Switzerland shall grant special protection rights to persons in Switzerland. However, these rights do not meet the requirements of adequate data protection as defined by the FADP.”

Thus, while the Swiss US Privacy Shield agreement is still technically active, companies that transfer data under the Swiss US Privacy Shield are now subject to prosecution for violating article 6, paragraph 2 of the FDAP, making the continuation of the program effectively moot for those who don’t enjoy spending time in jail. The Swiss courts or the legislature could overrule the FDPIC, but even if that eventually happens, it is going to take time – and time is rarely on your side in eDiscovery.

As to the EU Standard Contractual Clauses (SCC), which the Swiss have generally accepted, aligned with  Schrems II, Lobsiger’s position paper leaves the SCC alive – but just barely so. The position paper evidences substantial doubts about the effectiveness of SCCs for lawfully transferring personal data to the US:

“. . . in the case of transfer of personal data to the USA . . . it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 . . ..”

The position paper then goes on to offer “practical advice” that anyone looking to transfer data from Switzerland would be well-advised to consider.  Indeed, Lobsiger’s advice parallels the advice I gave in my last blog post about taking a risk-based approach each time you consider using the SCCs – from the FDPIC’s position paper, the recommendations are:

“When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:

a) If the disclosure of data is based on contractual guarantees such as SCCs . . . a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these . . ..

b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities. . .. If this is not the case, any provisions in the SCCs concerning the obligation to cooperate are negated.

c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable. . .. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.”

Meet Article 271(1) of the Swiss Criminal Code, the mother of all “Blocking Statutes”

Complicating all of these considerations is the fact that Switzerland has several effective blocking statutes that can prevent compliance with US discovery requests. The foremost of these, Article 271(1) of the Swiss Criminal Code (SCrC), prohibits carrying out activities on behalf of a foreign state on Swiss territory which are the responsibility of a public authority or public official. Because discovery is conducted in Switzerland by a judge (common in civil law countries), obtaining evidence for foreign court proceedings constitutes the exercise of public powers that would trigger Art. 271(1). Most other countries’ blocking statutes are viewed as toothless, more theoretical than threatening. In contrast, Article 271(1) can bite and bite hard; the Office of the Attorney General of Switzerland has brought a dozen cases under Art. 271(1) between 2014 and 2018, some of which have led to serious penalties.

The bad news for those seeking discovery of Swiss sources doesn’t end there. Several other provisions of Swiss law can also effectively function as blocking statutes, including SCRC Articles 28a (protection of sources), 273 (industrial espionage), 299 (violation of territorial sovereignty abroad), and 321 (confidentiality). Finally, there is of course that most (in)famous of Swiss privacy laws that posed difficulties to even the US government law enforcement authorities at times, Article 47 of the Federal Act on Banks and Saving Banks.

The Hague Convention may be your best solution

Both Switzerland and the US have signed the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters of March 18, 1970 (the “Hague Evidence Convention”). Under the Hague Evidence Convention, a judicial authority (but not a private person, including a lawyer) may issue a letter of request to the Swiss authorities. Switzerland contains twenty-six cantons, and so the letter should be issued to the Central Authority of the canton in which the request is to be executed (see here for the official list). However, if you send the request to the Swiss Federal Office of Justice, they will forward it to the proper cantonal authorities, though this may create some further delays in what will already likely be a relatively slow process.

You can also ask a US judge to also request an application for the appointment of a commissioner, typically a local practicing attorney, under Chapter II of the Hague Evidence Convention. A carefully-chosen commissioner can potentially speed up the collection of evidence and provide some local knowledge and on-the-ground flexibility as well.

If all else fails, then the Blocking Statute might save the day (yes, really!)

If you cannot obtain the evidence through the Hague Convention, your last resort is to try to obtain an individual waiver of Art. 271(1) SCrC. The Federal Department of Justice and Police of Switzerland (FDJP) has published some case guidance as to when it will grant a waiver:

  • If there is no threat of sanctions for non-compliance by a party, the international rules on judicial assistance do not apply – and the FDJP does not need to assist;
  • Where there is a threat of sanctions, especially criminal sanctions following at least one subpoena, the international rules apply – and the FDJP may assist; and
  • However, if the Swiss party does not have to provide actual documents, but instead merely information as to whether it has those documents, how many it has and their nature then the rules do not apply – and so there will be no need for FDJP assistance.

How we can help

If you are still struggling with the fallout from the invalidation of the US-EU Privacy Shield, then the end of the Swiss US version presents a whole new pain point for you. We can help you plan for alternative measures to obtain necessary evidence from the EU or from Switzerland – and help you sleep better at night knowing that you won’t be spending your nights in any of these. The key is to be aware of these challenges before a discovery timeline is set. As always, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.