On 11 January 2017 the Swiss Federal Council announced that a new agreement on cross-border data transfer from Switzerland to the US was reached. The Swiss-US Privacy Shield framework (the "Swiss-US Privacy Shield") is effective immediately but will only become fully operational as from 12 April 2017 when US organizations may first self-certify.
According to Swiss data protection law, personal data may generally only be disclosed abroad to jurisdictions that ensure an adequate level of protection for such data. Limited exceptions apply, such as obtaining the consent of the data subjects or implementing (standard) contractual clauses or binding corporate rules (the "Alternative Safeguards"). The US are generally considered a jurisdiction that does not ensure an adequate level of data protection.
In 2008 Switzerland and the US entered into an agreement (the "US-Swiss Safe Harbor") allowing for easy cross-border transfers of personal data to the US without further safeguards. But the US-Swiss Safe Harbor was declared inadequate by the Federal Data Protection and Information Commissioner ("FDPIC"), following the CJEU's decision of 6 October 2015, Schrems v Data Protection Commissioner. It has now been formally terminated by the Swiss Federal Council.
2. The Swiss-US Privacy Shield’s goals
The Swiss-US Privacy Shield replaces the US-Swiss Safe Harbor, enabling easy cross-border transfer of personal data to the US again. It generally encompasses the same requirements as the EU-US Privacy Shield with some minor exceptions (for full documentation see the FDPIC's website, short URL: https://goo.gl/BIS9ZI). The Swiss-US Privacy Shield is effective immediately, but may only be used as basis for transfers of personal data as from 12 April 2017 when US organizations may first self-certify.
The Swiss-US Privacy Shield was entered into after US public authorities have confirmed that clear safeguards and limitations exist with respect to access to data by public authorities (such as the NSA). An ombudsperson will have powers to investigate if data subjects suspect that US authorities exceed the applicable limits (e.g., in case of mass surveillance).
3. Key differences between Swiss-US Privacy Shield and terminated US-Swiss Safe Harbor
When compared to the US-Swiss Safe Harbor, the Swiss-US Privacy Shield imposes tougher obligations on US companies. In particular, it introduces the following new requirements:
› Data subjects must be offered the right to opt out when their personal data is to be disclosed to a third party other than a processor or used for a purpose materially different compared to the initial purpose.
› Conditions for onward transfers have been tightened. To transfer personal data exported from Switzerland to a third party, a data importing US organization must enter into a contract with the third party ensuring that the third party will provide the same level of protection as the organization, which now also includes an obligation for the third party concerned to inform the organization when it is no longer able to ensure the appropriate level of data protection.
› US organizations will need to implement processes for handling complaints by data subjects within 45 days and submit to independent dispute resolution bodies, such as the FDPIC or a dispute resolution body based in Switzerland or the US.
› The US Department of Commerce ("DOC") and the Federal Trade Commission may conduct audits of Privacy Shield-certified US organizations.
› The Swiss-US Privacy Shield and its implementation will be reviewed annually and the FDPIC has stated that, depending on the outcome of such review, he may re-evaluate the adequacy of protection provided by the Swiss-US Privacy Shield.
4. Next steps
US-based organizations interested in Swiss-US Privacy Shield certification should prepare for their self-certification (which can be administered on www.privacyshield.gov) and take the following steps:
› Revise their privacy policies to be compliant with the new requirements, in particular by removing any reference to the US-Swiss Safe Harbor Framework.
› Establish follow-up procedures for verifying compliance with the Swiss-US Privacy Shield and train employees with regard to its implementation.
› Collect documentation in preparation for self-certification. Unlike with the US-Swiss Safe Harbor, the DOC will be significantly more involved in ensuring that organizations comply with the Swiss-US Privacy Shield.
Swiss-based organizations transferring personal data to the US should review the corresponding agreements and assess whether they relied on the now terminated US-Swiss Safe Harbor. If so, the respective agreements must be amended to either rely on the Swiss-US Privacy Shield or include Alternative Safeguards (as defined above).
5. Selected issues
a) Should organizations already certified under the EU-US Privacy Shield also self-certify to the Swiss-US Privacy Shield?
Yes. Even though the two are similar, organizations already participating in the EU-US Privacy Shield need to self-certify to the Swiss-US Privacy Shield if they transfer personal data from Switzerland to the US. The extension of the self-certification can be done easily through the DOC's online portal when the organization is already self-certified to the EU-US Privacy Shield, by logging into the organization's account and adding the Swiss-US Privacy Shield and other relevant information, such as dispute resolution mechanisms.
b) Should organizations prefer Alternative Safeguards to the Swiss-US Privacy Shield?
Organizations may still rely on Alternative Safeguards instead of the Swiss-US Privacy Shield. In some cases this may be preferable, considering that:
› for organizations which have not already self-certified to the EU-US Privacy Shield, implementing the Swiss-US Privacy Shield may be a cumbersome process;
› its long-term viability remains uncertain since (i) the similar EU-US Privacy Shield has already been challenged before the CJEU and (ii) the FDPIC has reserved the right to re-evaluate the adequacy of protection provided by the Swiss-US Privacy Shield; and
› considering the current public and political attention directed at protection of personal data, there will likely be an increase of cases where data processing activities will be challenged and the corresponding setups, including privacy policies, will be publicly scrutinized by courts, which may pose reputational risks. This, combined with the significant fines which will likely be introduced in the course of the ongoing revisions of the data protection laws in Switzerland (fine of up to CHF 500'000, see our Newsflash "Revision of the Swiss Federal Data Protection Act" of February 2017), may make a full transparency approach which relies on consent of the concerned data subjects or other Alternative Safeguards more attractive for organizations whose main activities focus on data processing, such as data brokerage, individualized or targeted services, or profiling.