The Swiss government has drafted a proposed list of countries that are approved to receive personal data transfers out of Switzerland. Japan and South Korea are excluded from the current and proposed lists, requiring businesses from those countries to abide by specific legal safeguards for such data transfers.
It is crucial that international data transfers always comply with the data transfer rules of the sending and receiving countries.
The European Union has issued a list of countries that it deems “adequate” for international data transfers, meaning that personal data transfers out of the EU member states to recipients in the listed countries are allowed without legal privacy restrictions. The legal situation for data transfers out of Switzerland is similar, but not identical.
The current EU list includes Argentina, Canada (commercial organizations), Israel, Japan, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay, together with a few small territories/countries. For a recipient country not on the list, data transfers out of the European Union need specific legal safeguards, such as the 2021 Standard Contractual Clauses (SCCs) approved by the European Commission, plus their annexes. Read our separate analysis on the SCCs.
The Swiss government (Bundesrat) has published its own list of adequate countries for international data transfers under Article 16 of the new Swiss Data Protection Act, which will enter into force in 2023. The list is annexed to a new ordinance of the Bundesrat, the Ordinance to the Federal Data Protection Act. It still requires the approval of the Swiss Federal Parliament.
The Ordinance to the Federal Data Protection Act lists the following countries/territories as “adequate” to receive personal data transfers out of Switzerland:
|
Andorra Argentina Austria Belgium Bulgaria Canada (commercial organizations) Croatia Cyprus Czech Republic Denmark Estonia Faroe Islands Finland France Germany Gibraltar Greece Guernsey Hungary Iceland Ireland |
Isle of Man Israel Italy Jersey Latvia Liechtenstein Lithuania Luxembourg Malta Monaco Netherlands New Zealand Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden United Kingdom Uruguay |
Most notably, Japan and South Korea are missing on the Swiss list. Japan and South Korea are also not on Switzerland’s current (2021) list. As a result, EU-based, but not Swiss, companies benefit from the unrestricted data flow with Japan and South Korea. Businesses with data transfers from Switzerland to Japan or South Korea will need Swiss SCCs.
The Swiss Data Protection Authority has Australia listed as a state where "adequate protection may be provided under certain conditions."
The latest Bundesrat list takes effect September 1, 2023, but could be adjusted before then, particularly if the US-European Trans-Atlantic Data Privacy Framework comes into being and Switzerland joins it.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: