The U.S.-Swiss Safe Harbor Framework

17. Februar 2009 – Personal data may only be disclosed or transferred from Switzerland to a recipient in the U.S.A. if an exception specified by Art. 6 para. 2 of the Swiss Data Protection Act (DPA) applies because neither U.S. federal law nor the laws of any U.S. state are considered under Swiss law to guarantee an adequate level of data protection. If none of the other exceptions set out in Art. 6 para. 2 DPA are available, the data exporter needs to enter into a specific cross-border data transfer agreement with the recipient in the U.S.A. and notify the Federal Data Protection and Information Officer about it. These requirements are cumbersome and have often been disregarded despite the risk of sanctions.

In December 2008, the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner completed negotiations for a U.S.-Swiss Safe Harbor Framework. This framework is based on the EU-U.S. Safe Harbor Framework and aims to facilitate transfers of personal data from Switzerland to recipients in the U.S.A.

The U.S.-Swiss Safe Harbor Framework entered into force on the 16th of February 2009.

If a recipient based in the U.S.A. has certified its adherence to the U.S.-Swiss Safe Harbor Framework to the U.S. Department of Commerce, personal data concerning natural persons that is covered by the certification may be disclosed or transferred to it from Switzerland even if none of the exceptions set out in Art. 6 para. 2 DPA are met. In fact, the certification of adherence to the U.S.-Swiss Safe Harbor Framework creates an adequate level of data protection with respect to such recipient and the personal data covered by its certification.

Adherence to the U.S.-Swiss Safe Harbor Framework is not compulsory, but it greatly facilitates the transfer of personal data from Switzerland to the U.S.A. This is particularly true if the recipient in the U.S.A. has already certified its adherence to the EU-U.S. Safe Harbor Privacy Principles.

The U.S.-Swiss Safe Harbor Framework is limited in scope. It covers only the transfer of personal data concerning natural persons (and not legal entities). In addition, certain types of data or methods of data processing might not be included in a particular certification. Even if a recipient has given a certification under the U.S.-Swiss Safe Harbor Framework, it is important to ensure that the personal data to be transferred are actually covered by the certification. If the data are not covered, it might still be necessary to enter into a specific cross-border transfer agreement and inform the Federal Data Protection and Information Commissioner before the transfer is made or access to the data is provided.