For organisations with data flows between the United States and Switzerland, it is now possible to self-certify into the Swiss-U.S. Privacy Shield Framework. This process became available on 12 April 2017. The Swiss-U.S. Privacy Shield will operate in a substantially similar way to the EU-U.S. Privacy Shield. There are, however, key differences, including: (1) the definition of ‘sensitive data’ under the Swiss-U.S. Privacy Shield is modified and includes ideological views or activities, information on social security measures, and administrative or criminal proceedings and resulting sanctions (which are treated outside pending proceedings); and (2) the U.S. Department of Commerce is to work with the Swiss Government to incorporate binding arbitration into Annex I of the Swiss-U.S. Privacy Shield Framework.
Frequently Asked Questions (FAQs) have been produced to assist organisations with the voluntary self-certification process, setting out the respective frameworks for the EU and Switzerland. Specifically, the FAQs provide guidance on how to certify to either or both frameworks, and importantly for those already certified to the EU-U.S. Privacy Shield, how to also certify to the Swiss-U.S. Privacy Shield. The procedure can be completed via the Privacy Shield website by following this link.
The FAQs also outline the fact that an annual fee for the Swiss-U.S. Privacy Shield will become payable; this fee is tiered based on the relevant organisation’s annual revenue. It is noted that organisations’ recertification date for both the Swiss-U.S. and EU-U.S. frameworks will be one year from the date that the earliest of its two certifications is finalised.
Regarding the now defunct Swiss-U.S. Safe Harbor Framework, organisations will automatically be withdrawn from the old regime upon self-certifying to the Swiss-U.S. Privacy Shield. The FAQs do, however, expressly state that as well as updating privacy policies to align with Privacy Shield requirements, prior to certifying, organisations must remove all references to the Swiss-U.S. Safe Harbor Framework. In order to assist in this regard, the FAQs provide sample wording for organisations participating in either or both of the frameworks.
Although certification is voluntary, it is beneficial for organisations to commit to the Swiss-U.S. Privacy Shield if the relevant data transfers occur. The Privacy Shield commitment will then become enforceable under U.S. law and will also demonstrate compliance with Swiss data transfer regulations.