On 11 January 2017, the Federal Council announced the establishment of a new framework for transferring personal data from Switzerland to the United States: the Swiss-US Privacy Shield.
12 January 2017 – The Swiss-US Privacy Shield replaces the so-called Safe Harbor framework between Switzerland and the US, which the Federal Data Protection and Information Commissioner (the Commissioner) had declared inadequate (see news 22.10.15) and which the Federal Council has now formally terminated. With the establishment of the Privacy Shield, Switzerland will apply similar standards for data exports to the US as the European Union (EU), which set up a comparable system, the EU-US Privacy Shield (see news vom 13.7.16), last summer. The Privacy Shield aims to improve the protection of personal data transferred from Switzerland to US-based companies and therewith facilitates transatlantic data flows. From a Swiss and EU law perspective, the US does not provide an adequate level of data protection.
The Swiss-US Privacy Shield is intended to bring about various improvements for data subjects compared to the Safe Harbor framework including (but not limited to): the stricter application of data protection principles by participating companies; improved management and supervision of the regime by US authorities; an intensified cooperation between the US Department of Commerce (DOC) and the Commissioner; the establishment of an arbitration body dealing with claims that remain unresolved through other remedies; specific instruments for persons domiciled in Switzerland allowing them to launch enquiries relating to the processing of their data from certified US companies or the competent authorities. Although the Swiss-US Privacy Shield defines ‘personal data’ as data about an identified or identifiable ‘individual’, it remains to be seen whether data relating to legal entities will equally be protected (as was the case under the Safe Harbor framework).
Following finalisation of the Swiss-US Privacy Shield, US companies can start certifying under the regime and thereby make themselves subject to its rules. The Commissioner will amend the ‘list of countries’ under Art. 7 of the Ordinance to the Data Protection Act (DPO) for the benefit of certified companies. As a result, Swiss companies will be able in most cases to transmit personal data to certified business partners in the US without additional contractual guarantees being necessary, as was already the case under the former Safe Harbor framework. However, the Commissioner in his press release emphasized the importance of developments in practice. In particular, he reserves the right, following the annual evaluations of the Swiss-US Privacy Shield, to revise the list of countries under Art. 7 DPO if he deems this appropriate.
The US-CH Privacy Shield is expected to enter into force within the next few months and companies will likely be able to register under the new regime quite shortly thereafter. In the meantime, an adequate data protection level for data transfers to the US still needs to be ensured by other means, in particular by contractual safeguards (i.e. typically EU Model Clauses adapted to Swiss law requirements).
The Commissioner’s press release of 11 January 2017 is available here.
All documents and correspondence between the Swiss Government and the DOC concerning the Swiss-US Privacy Shield are available here.