The new U.S.-Swiss Safe Harbor Framework ("U.S.-Swiss Safe Harbor"), effective February 16, 2009, facilitates transfer of personal data from companies in Switzerland to companies in the United States.
Previously, the Swiss Data Protection Act ("DPA") permitted only the transfer of "personal data" from Switzerland to jurisdictions that the Federal Data Protection and Information Commissioner ("FDPIC") deemed to provide an adequate level of data protection. In order to transfer personal data from Switzerland to jurisdictions that the FDPIC did not deem to provide an adequate level of data protection, the exporting and importing organizations were required to sign an agreement guaranteeing that the importing organization would provide the "appropriate" level of data protection required under Swiss law. The FDPIC has found the following contractual agreements to provide an appropriate level of protection: (1) Standard Contractual Clauses of the European Union, (2) the Council of Europe's model contract for safeguarding an appropriate level of data protection in transborder data transfers, and (3) the FDPIC's model contract for the outsourcing of data processing abroad. The parties would then submit the agreement to the FDPIC for inspection and approval prior to any transfer of personal data outside of Switzerland. With the implementation of the U.S.-Swiss Safe Harbor, organizations seeking to transfer personal data from Switzerland to the United States now have an alternative means to do so under the DPA.
Similar to the existing Safe Harbor structure between the European Union and the United States ("U.S.-E.U. Safe Harbor"), the U.S.-Swiss Safe Harbor allows U.S. companies to self-certify to the U.S. Department of Commerce that they will uphold the same seven data protection principles contained in the U.S.-E.U. Safe Harbor Framework: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement. Applicants may certify to the U.S.-Swiss Safe Harbor alone or along with the U.S.-E.U. Safe Harbor on the same Certification Form by selecting Switzerland as a country from which they receive personal data. Switzerland will recognize certified companies as meeting its required standard of data protection and allow transfer and access to Swiss personal data by these companies. The U.S.-Swiss Safe Harbor also provides for special dispute resolution boards in cases of data protection breaches and permits the U.S. Federal Trade Commission to take action against certified companies in cases of egregious or repeated data protection infringement. These remedies are in addition to possible private actions.
The significant overlap in substantive requirements and certification procedures for both the U.S.-Swiss and U.S.-E.U. Safe Harbors will likely benefit entities seeking to streamline compliance policies and procedures for transferring data from both the European Union and Switzerland to the United States. One notable distinction, however, is that the Swiss DPA defines "personal data" to include all information relating to natural and legal persons, e.g., companies, associations, etc. By contrast, both the U.S.-Swiss Safe Harbor and the U.S-E.U. Safe Harbor cover only personal data of natural persons. Thus, organizations seeking to transfer other types of data from Switzerland may still need to enter into cross-border data transfer agreements and seek approval from the FDPIC.