Feb 212017

Transatlantic Data flow – the new Swiss – U.S. Privacy Shield available April 12, 2017

Cameron F. Kerry and Sabrine Schnyder
, , ,

Following the establishment of the E.U. – U.S. Privacy Shield last summer, Switzerland has now agreed to a similar framework facilitating the transfer of personal data from Swiss companies to companies based in the United States (hereinafter “Swiss – U.S. Privacy Shield” or “Privacy Shield”) that will allow companies to certify adherence to the framework as of 12 April 2017.

The Swiss do not permit the transfer of personal data to the United States in the absence of a determination of adequacy.  In these circumstances, Safe Harbor arrangements have provided a mechanism to facilitate transatlantic data flows.  These mechanisms have been in question In the wake of the 6 October 2015 decision of the Court of Justice of the European Union (“CJEU”), which invalidated the European Safe Harbor agreement [CJEU C-362/14 – “Schrems”].  The uncertainty was exacerbated when the Swiss Federal Data Protection and Information Commissioner, the competent authority in Switzerland for issues related to data protection,  announced that the Swiss Safe Harbor agreement would no longer provide a legal basis for data transfers to the United States.  As a result, the transfer of personal data from Switzerland to the United States was called into question, creating additional legal risks and uncertainty for multinational businesses.

Following in the footsteps of the EU, Switzerland has now agreed to a new framework similar to the EU – U.S. Privacy Shield. The Swiss-U.S. Privacy Shield will replace the use of Safe Harbor arrangements, facilitating transatlantic data flow once more.  By adhering to the Swiss-U.S. Privacy Shield, U.S. Companies make themselves subject to the applicable Privacy Shield privacy principles enforceable primarily by the Federal Trade Commission, and Switzerland will in these circumstances deem adherents to be bound by adequate data protection standards.

Companies having adhered to the previous Safe Harbor arrangement are not automatically enrolled under the Privacy Shield.  Rather, a new registration will be necessary as well as a modification of the privacy policies appearing on company websites or elsewhere to reflect the Privacy Shield principles.  Companies may start the process of certifying their adherence to the framework as of 12 April 2017 with fast track registration for companies already participating in the EU-U.S. Privacy Shield.

Companies that certified their participation in the EU-U.S. Privacy Shield may wish to consider extending their participation to the Swiss-U.S. Privacy Shield, as the Swiss version has only a few minor differences from its EU counterpart:

  • The definition of “sensitive data” under the Swiss-U.S. Privacy Shield also includes ideological views or activities, information on social security measures or data on pending or past administrative or criminal proceedings as well as sanctions, such as disciplinary actions by associations.
  • The Swiss Federal Data Protection and Information Commissioner substitutes for that of the competent European authority.  Thus, where the Privacy Shield frameworks require companies to comply with the authorities’ recommendations, companies will have to work with the Swiss authority with regard to Swiss personal data and with the European authorities with regard to European personal data.

Some legal uncertainty remains with regard to transatlantic data flow as the EU-U.S. Privacy Shield has recently been challenged before the CJEU.  Nevertheless, the establishment of a Swiss-U.S. Privacy Shield is a welcome development that will provide greater certainty for business operating across Swiss borders and in the United States.

Cameron F. Kerry

ckerry@sidley.com

Sabrine Schnyder

sschnyder@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.