On April 12, 2017, the U.S. International Trade Administration ("ITA") will begin accepting self-certifications for the Swiss-U.S. Privacy Shield ("Swiss Privacy Shield"). The Swiss Privacy Shield replaces the U.S.-Swiss Safe Harbor Framework ("Swiss Safe Harbor") as the mechanism for organizations to transfer personal data from Switzerland to the United States.
After the European Court of Justice ("ECJ") invalidated the EU-U.S. Safe Harbor program in its decision in the Schrems case, the Swiss Federal Data Protection and Information Commissioner ("SDPIC") announced that the Schrems decision extended to the Swiss Safe Harbor as well. The ITA and SDPIC subsequently developed the Swiss Privacy Shield to replace the Swiss Safe Harbor, and finalized the requirements in January 2017. The Swiss Privacy Shield largely follows the framework and requirements of the EU-U.S. Privacy Shield, with some key distinctions and requirements for international businesses transferring personal data from Switzerland to the United States.
Swiss Privacy Shield vs EU-U.S. Privacy Shield: Key Similarities
Aligned with the EU-U.S. Privacy Shield, the requirements for certifying organizations under the Swiss Privacy Shield include following privacy principles ("Privacy Principles"):
- Notice. Similar to the EU-U.S. Privacy Shield, the Swiss Privacy Shield includes significant notice requirements for certifying organizations to inform individuals about its practices related to the collection and use of personal information under the Privacy Principles, including the purposes for said collection and use, and the identity of the third parties with whom it discloses such information. The Swiss Privacy Shield also requires certifying organizations to provide a link to the Swiss Privacy Shield List website, and disclose specific contact information for complaints and dispute resolution procedure details.
- Choice. Generally, the Swiss Privacy Shield requires certifying organizations to provide an opportunity for individuals to opt-out from the processing of their personal information that is disclosed to a third party or used for a purpose that is materially different from that for which it was originally collected or subsequently authorized. For use of "sensitive information" in such ways, including "health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings," certifying organizations must obtain an affirmative, express opt-in from the individuals concerned.
- Onward Transfers to Controllers or Agents. To transfer personal information to a third party acting as a controller, certifying organizations must enter into contracts with such controllers that ensure the same level of data privacy and security protection as the Swiss Privacy Shield principles. For third parties acting as agents, certifying organizations must take several "reasonable and appropriate" steps to ensure that the agent’s conduct is consistent with the certifying organization’s compliance with the Privacy Principles and to prevent unauthorized processing.
- Security. Certifying organizations must take "reasonable and appropriate measures" to protect the relevant personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. These reasonable and appropriate measures should consider the risks involved in the processing and the nature of the personal data.
- Data Integrity and Purpose Limitation. Certifying organizations must limit the relevant personal data to that which is relevant for the purpose of which it is processed, and may not process such information in a way that is incompatible with the purposes for which it was collected or authorized by the individual. Information that identifies an individual may only be retained for as long as the purpose requires.
- Access. Certifying organizations must provide individuals with access to information about the type of personal information that is stored about them, and the ability to correct, amend, or delete inaccurate information or where individual rights are violated.
- Recourse, Enforcement and Liability. Certifying organizations must provide robust mechanisms for assuring compliance, including by providing recourse to individuals who are affected by non-compliance with the Privacy Principles, and consequences for the organization when the Privacy Principles are not followed.
Swiss Privacy Shield vs EU-U.S. Privacy Shield: Key Distinctions
While the Privacy Principles and requirements of the Swiss Privacy Shield parallel those of the EU-U.S. Privacy Shield for the most part, the Swiss Privacy Shield contains several noteworthy distinctions, including:
- SDPIC Authority. Under the Swiss Privacy Shield, the SDPIC replaces the EU Data Protection Authorities (DPAs) as the authoritative regulatory agency. Organizations dealing with personal data in both Switzerland and EU member states will be subject to the regulatory authority of multiple agencies.
- No Grace Period. As noted above, the Swiss Privacy Shield requires certifying organizations to obtain contractual assurances from its third party controllers regarding compliance with the Swiss framework. Unlike the EU-U.S. Privacy Shield, however, the Swiss Privacy Shield does not offer participating organizations a grace period to revise third-party controller agreements to meet this requirement. Certifying organizations will need to perform the due diligence necessary to ensure that all contracts with third-party controllers align with the Swiss Privacy Shield prior to self-certification.
- Revised definition of "Sensitive Data". Under the Swiss Privacy Shield, the definition of "Sensitive Data" under the "Choice" principle includes "ideological or trade union related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings." Certifying organizations should evaluate their existing data inventory and classification policies to determine (i) whether they collect such information, and (ii) if so, whether practices related to this type of information comport with the requirements of the Swiss Privacy Shield.
- Binding Arbitration Option On-Hold. The Swiss Privacy Shield provides a binding arbitration option as the means for an individual to resolve residual claims regarding whether a certifying organization has violated its obligations under the Swiss Privacy Shield. The ITA and the SDPIC will not implement this binding arbitration option until the first annual review of the framework in 2018.
Requirements for Self-Certification
Beginning on April 12, 2017 organizations can submit for self-certification on the Privacy Shield website, available here. Organizations that have already self-certified to the EU-U.S. Privacy Shield may do so for the Swiss Privacy Shield by logging into their existing Privacy Shield account, and selecting the Swiss Privacy Shield self-certification option. Those that previously joined the Swiss Safe Harbor will be automatically withdrawn from the prior framework, and the ITA Privacy Shield team will revise its record to reflect certification to the Swiss Privacy Shield.
As with the EU-U.S. Privacy Shield, the ITA has pledged to maintain and publish on the Swiss Privacy Shield website a "Privacy Shield List" of U.S. organizations that have self-certified to the Swiss Privacy Shield. Importantly, the names of organizations that fail to complete annual recertification requirements, voluntarily withdraw from the program, or persistently fail to comply with the Swiss Privacy Shield principles will also be published on the Swiss Privacy Shield website.