In less than a month, on April 12, the U.S. Department of Commerce (“Commerce”) will begin accepting applications for the Swiss-U.S. Privacy Shield Framework (“Swiss-U.S. Privacy Shield”). As we have written, the Swiss-U.S. Privacy Shield replaced the U.S.-Swiss Safe Harbor Framework (“U.S.-Swiss Safe Harbor”) for the transfer of data from Switzerland to the United States.

What Companies Need to Do Now. Recently released FAQs from Commerce provide guidance to companies on how to certify.

  • Five Steps to Add Swiss Self-Certification to Existing EU-U.S. Privacy Shield Certification. If your company has already self-certified to the EU-U.S. Privacy Shield Framework (“EU-U.S. Privacy Shield”), beginning on April 12, you can update your certification application to include the Swiss-U.S. Privacy Shield through five (5) simple steps:
    • Step One Update Privacy Policy. Companies must update their privacy policies (i) to certify compliance to the Swiss-U.S. Privacy Shield; (ii) to indicate their willingness to cooperate and comply with the advice of the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) for disputes relating to HR data, in addition to the European data protection authorities (“DPAs”); and (iii) to include within the definition of sensitive personal data, ideological views or activities, information on social security measures, or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
    • Step Two Update Registration with Private Dispute Resolution Provider. Companies working with a private dispute resolution provider (e.g., JAMS, TRUSTe) for disputes related to non-HR data will need to update their registration to reflect that they are doing so in connection with the Swiss framework as well.
    • Step Three Pay Annual Fee. Participants must pay a separate fee to the U.S. International Trade Administration (“ITA”) in order to participate. The Swiss-U.S. Privacy Shield fee “will be tiered based on the organization’s annual revenue.” Commerce has promised that more information on the fee structure will be provided “soon.”
    • Step Four Update Online Account. Log on to your Privacy Shield account, click on “self-certify” and add the Swiss-U.S. Privacy Shield to your self-certification.
    • Step Five Address HR Data Disputes. Consistent with your updated privacy policy (see Step One), commit in your certification to cooperate and comply with the advice of the Swiss FDPIC for HR data-related issues.
  • What Other Companies Have to Do. If you are not certified to the EU-U.S. Privacy Shield, you will need to submit a full application. You can do so by clicking on the “Self-Certify” link on Commerce’s Privacy Shield website, creating a profile and choosing whether to certify to one or both frameworks. See our prior post for more on how you can achieve compliance with the Privacy Shield Principles – required before certification to either framework.
  • What Companies with an Active Swiss Safe Harbor Certification Have to Do. If your company was previously certified to the U.S.-Swiss Safe Harbor, you’ll still need to submit an application to the Swiss-U.S. Privacy Shield. In doing so, be sure to remove any references to the Swiss Safe Harbor in your privacy policy (in addition to updating it to comply with Privacy Shield requirements). Once a company’s certification to the Swiss-U.S. Privacy Shield has been approved, the Commerce team will withdraw it from Safe Harbor – adjusting U.S.-Swiss Safe Harbor records so that the “certified through” date displayed in the record reflects the date of certification to the Privacy Shield.

Parting Thoughts . . .

  • Consistent Recertification Date. Good news for those trying to manage global programs and requirements simultaneously – Commerce has prescribed that the recertification date for companies with both Swiss-U.S. and EU-U.S. Privacy Shield certification will be one year from the date the first of the two certifications was finalized, enhancing efficiency.
  • Global Approach and Integrated Frameworks. There is a trend among leading companies to build integrated frameworks and tools to coordinate their Privacy Shield re-certification efforts with their GDPR and other global compliance assessments and ongoing audits.

PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog.