Transatlantic Data flow – the new Swiss – U.S. Privacy Shield available April 12, 2017

Following the establishment of the E.U. – U.S. Privacy Shield last summer, Switzerland has now agreed to a similar framework facilitating the transfer of personal data from Swiss companies to companies based in the United States (hereinafter “Swiss – U.S. Privacy Shield” or “Privacy Shield”) that will allow companies to certify adherence to the framework as of 12 April 2017.

The Swiss do not permit the transfer of personal data to the United States in the absence of a determination of adequacy.  In these circumstances, Safe Harbor arrangements have provided a mechanism to facilitate transatlantic data flows.  These mechanisms have been in question In the wake of the 6 October 2015 decision of the Court of Justice of the European Union (“CJEU”), which invalidated the European Safe Harbor agreement [CJEU C-362/14 – “Schrems”].  The uncertainty was exacerbated when the Swiss Federal Data Protection and Information Commissioner, the competent authority in Switzerland for issues related to data protection,  announced that the Swiss Safe Harbor agreement would no longer provide a legal basis for data transfers to the United States.  As a result, the transfer of personal data from Switzerland to the United States was called into question, creating additional legal risks and uncertainty for multinational businesses.

Following in the footsteps of the EU, Switzerland has now agreed to a new framework similar to the EU – U.S. Privacy Shield. The Swiss-U.S. Privacy Shield will replace the use of Safe Harbor arrangements, facilitating transatlantic data flow once more.  By adhering to the Swiss-U.S. Privacy Shield, U.S. Companies make themselves subject to the applicable Privacy Shield privacy principles enforceable primarily by the Federal Trade Commission, and Switzerland will in these circumstances deem adherents to be bound by adequate data protection standards.

Companies having adhered to the previous Safe Harbor arrangement are not automatically enrolled under the Privacy Shield.  Rather, a new registration will be necessary as well as a modification of the privacy policies appearing on company websites or elsewhere to reflect the Privacy Shield principles.  Companies may start the process of certifying their adherence to the framework as of 12 April 2017 with fast track registration for companies already participating in the EU-U.S. Privacy Shield.

Companies that certified their participation in the EU-U.S. Privacy Shield may wish to consider extending their participation to the Swiss-U.S. Privacy Shield, as the Swiss version has only a few minor differences from its EU counterpart:

  • The definition of “sensitive data” under the Swiss-U.S. Privacy Shield also includes ideological views or activities, information on social security measures or data on pending or past administrative or criminal proceedings as well as sanctions, such as disciplinary actions by associations.
  • The Swiss Federal Data Protection and Information Commissioner substitutes for that of the competent European authority.  Thus, where the Privacy Shield frameworks require companies to comply with the authorities’ recommendations, companies will have to work with the Swiss authority with regard to Swiss personal data and with the European authorities with regard to European personal data.

Some legal uncertainty remains with regard to transatlantic data flow as the EU-U.S. Privacy Shield has recently been challenged before the CJEU.  Nevertheless, the establishment of a Swiss-U.S. Privacy Shield is a welcome development that will provide greater certainty for business operating across Swiss borders and in the United States.