Swiss-U.S. Privacy Shield Framework is Open for Business
Swiss-U.S. Privacy Shield Framework is Open for Business
On April 12, 2017, U.S. Secretary of Commerce Wilbur Ross announced that the newly launched Swiss-U.S. Privacy Shield Framework (Swiss Privacy Shield) is now accepting self-certifications. The International Trade Administration (ITA) at the U.S. Department of Commerce is accepting certifications through the Privacy Shield Website.
The Swiss Privacy Shield provides companies a mechanism to comply with Swiss data protection requirements when transferring personal data in support of transatlantic commerce from Switzerland to the United States.
“The [Swiss Privacy Shield] supports U.S. economic growth by ensuring that Swiss and American businesses can transfer data and deliver innovative online products and services under enhanced data protection,” said Secretary Ross. “It is a prime example of the Department’s efforts to ensure a strong foundation for the digital economy by facilitating data flows and upholding high privacy standards. We look forward to working with our Swiss counterparts as we implement the Framework together.”
This mechanism replaces the U.S.-Swiss Safe Harbor Framework, which was used by approximately 4,000 U.S. companies. The Swiss Privacy Shield aligns with the EU-U.S. Privacy Shield Framework (EU Privacy Shield), making it easier for companies to streamline compliance efforts in both Switzerland and the European Union. The EU Privacy Shield, which launched on August 1, 2016, currently includes nearly 2,000 U.S.-based participants.
If your organization has already self-certified to the EU Privacy Shield, the organization can now add the Swiss Privacy Shield to their self-certification under the EU Privacy Shield. All organizations that add the Swiss Privacy Shield will be required to pay a separate annual fee to ITA and update their privacy policy to refer to the organization’s participation in the Swiss Privacy Shield.
The Swiss Privacy Shield adopts requirements that are almost identical to those incorporated in the EU Privacy Shield. For example, the Swiss Privacy Shield requires participating companies to annually certify with the U.S. Department of Commerce and to voluntarily adhere to the seven Privacy Shield Principles and sixteen sub-principles (“Principles”). Participating organizations must develop comprehensive privacy notices that publicly declare the organization’s compliance with the Principles and explain the organization’s data collection practices. Like the EU Privacy Shield, the Swiss Privacy Shield carves out specific obligations for the transfer of Swiss employee data to the U.S.
The differences between the Swiss Privacy Shield and the EU Privacy Shield, include:
- The Swiss Federal Data Protection and Information Commissioner substitutes for the EU Data Protection Authorities.
- The definition of sensitive data under the Choice Principle under the EU Privacy Shield is modified slightly under the Swiss Privacy Shield to include ideological or trade union related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
- At the first annual review, the U.S. Department of Commerce will work with the Swiss Government to implement a binding arbitration option in Annex I of the Swiss Privacy Shield.
Importantly, an organization’s recertification date for both the Swiss Privacy Shield and EU Privacy Shield will be one year from the date the first of its two certifications was finalized.
Organization’s interested in joining the EU Privacy Shield and Swiss Privacy Shield should first learn about the requirements and benefits. For more information please see the EU Privacy Shield requirements: http://trade.gov/td/services/odsi/swiss-us-privacyshield-framework.pdf.
Disclosure: Please note that the information provided in this Client Alert does not constitute legal advice and is not intended to be and should not be construed as legal advice. Readers with questions specific to the issues raised in this Client Alert should consult with qualified legal counsel. If you have any questions, E. Martín Enriquez may be reached at menriquez@lrrc.com or 303.628.9585.