In less than a month, on April 12, the U.S. Department of Commerce (“Commerce”) will begin accepting applications for the Swiss-U.S. Privacy Shield Framework (“Swiss-U.S. Privacy Shield”). As we have written, the Swiss-U.S. Privacy Shield replaced the U.S.-Swiss Safe Harbor Framework (“U.S.-Swiss Safe Harbor”) for the transfer of data from Switzerland to the United States.
What Companies Need to Do Now. Recently released FAQs from Commerce provide guidance to companies on how to certify.
- Five Steps to Add Swiss Self-Certification to Existing EU-U.S. Privacy Shield Certification. If your company has already self-certified to the EU-U.S. Privacy Shield Framework (“EU-U.S. Privacy Shield”), beginning on April 12, you can update your certification application to include the Swiss-U.S. Privacy Shield through five (5) simple steps:
- Step Two – Update Registration with Private Dispute Resolution Provider. Companies working with a private dispute resolution provider (e.g., JAMS, TRUSTe) for disputes related to non-HR data will need to update their registration to reflect that they are doing so in connection with the Swiss framework as well.
- Step Three – Pay Annual Fee. Participants must pay a separate fee to the U.S. International Trade Administration (“ITA”) in order to participate. The Swiss-U.S. Privacy Shield fee “will be tiered based on the organization’s annual revenue.” Commerce has promised that more information on the fee structure will be provided “soon.”
- Step Four – Update Online Account. Log on to your Privacy Shield account, click on “self-certify” and add the Swiss-U.S. Privacy Shield to your self-certification.
- What Other Companies Have to Do. If you are not certified to the EU-U.S. Privacy Shield, you will need to submit a full application. You can do so by clicking on the “Self-Certify” link on Commerce’s Privacy Shield website, creating a profile and choosing whether to certify to one or both frameworks. See our prior post for more on how you can achieve compliance with the Privacy Shield Principles – required before certification to either framework.
Parting Thoughts . . .
- Consistent Recertification Date. Good news for those trying to manage global programs and requirements simultaneously – Commerce has prescribed that the recertification date for companies with both Swiss-U.S. and EU-U.S. Privacy Shield certification will be one year from the date the first of the two certifications was finalized, enhancing efficiency.
- Global Approach and Integrated Frameworks. There is a trend among leading companies to build integrated frameworks and tools to coordinate their Privacy Shield re-certification efforts with their GDPR and other global compliance assessments and ongoing audits.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog.