Swiss-U.S. Privacy Shield: Key Similarities, Key Distinctions with the EU-U.S. Approach

by White & Case LLP
Contact

White & Case LLP

White & Case Technology Newsflash

On April 12, 2017, the U.S. International Trade Administration ("ITA") will begin accepting self-certifications for the Swiss-U.S. Privacy Shield ("Swiss Privacy Shield").  The Swiss Privacy Shield replaces the U.S.-Swiss Safe Harbor Framework ("Swiss Safe Harbor") as the mechanism for organizations to transfer personal data from Switzerland to the United States.

After the European Court of Justice ("ECJ") invalidated the EU-U.S. Safe Harbor program in its decision in the Schrems case,1 the Swiss Federal Data Protection and Information Commissioner ("SDPIC") announced that the Schrems decision extended to the Swiss Safe Harbor as well. The ITA and SDPIC subsequently developed the Swiss Privacy Shield to replace the Swiss Safe Harbor, and finalized the requirements in January 2017. The Swiss Privacy Shield largely follows the framework and requirements of the EU-U.S. Privacy Shield, with some key distinctions and requirements for international businesses transferring personal data from Switzerland to the United States.

Swiss Privacy Shield vs EU-U.S. Privacy Shield: Key Similarities

Aligned with the EU-U.S. Privacy Shield, the requirements for certifying organizations under the Swiss Privacy Shield include following privacy principles ("Privacy Principles"):

  • Notice. Similar to the EU-U.S. Privacy Shield, the Swiss Privacy Shield includes significant notice requirements for certifying organizations to inform individuals about its practices related to the collection and use of personal information under the Privacy Principles, including the purposes for said collection and use, and the identity of the third parties with whom it discloses such information. The Swiss Privacy Shield also requires certifying organizations to provide a link to the Swiss Privacy Shield List website, and disclose specific contact information for complaints and dispute resolution procedure details.
  • Choice. Generally, the Swiss Privacy Shield requires certifying organizations to provide an opportunity for individuals to opt-out from the processing of their personal information that is disclosed to a third party or used for a purpose that is materially different from that for which it was originally collected or subsequently authorized.  For use of "sensitive information" in such ways, including "health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings," certifying organizations must obtain an affirmative, express opt-in from the individuals concerned.
  • Onward Transfers to Controllers or Agents. To transfer personal information to a third party acting as a controller, certifying organizations must enter into contracts with such controllers that ensure the same level of data privacy and security protection as the Swiss Privacy Shield principles.  For third parties acting as agents, certifying organizations must take several "reasonable and appropriate" steps to ensure that the agent’s conduct is consistent with the certifying organization’s compliance with the Privacy Principles and to prevent unauthorized processing.
  • Security. Certifying organizations must take "reasonable and appropriate measures" to protect the relevant personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.  These reasonable and appropriate measures should consider the risks involved in the processing and the nature of the personal data.
  • Data Integrity and Purpose Limitation.  Certifying organizations must limit the relevant personal data to that which is relevant for the purpose of which it is processed, and may not process such information in a way that is incompatible with the purposes for which it was collected or authorized by the individual.  Information that identifies an individual may only be retained for as long as the purpose requires.
  • Access. Certifying organizations must provide individuals with access to information about the type of personal information that is stored about them, and the ability to correct, amend, or delete inaccurate information or where individual rights are violated.
  • Recourse, Enforcement and Liability. Certifying organizations must provide robust mechanisms for assuring compliance, including by providing recourse to individuals who are affected by non-compliance with the Privacy Principles, and consequences for the organization when the Privacy Principles are not followed.

Swiss Privacy Shield vs EU-U.S. Privacy Shield: Key Distinctions

While the Privacy Principles and requirements of the Swiss Privacy Shield parallel those of the EU-U.S. Privacy Shield for the most part, the Swiss Privacy Shield contains several noteworthy distinctions, including:

  • SDPIC Authority. Under the Swiss Privacy Shield, the SDPIC replaces the EU Data Protection Authorities (DPAs) as the authoritative regulatory agency. Organizations dealing with personal data in both Switzerland and EU member states will be subject to the regulatory authority of multiple agencies.
  • No Grace Period. As noted above, the Swiss Privacy Shield requires certifying organizations to obtain contractual assurances from its third party controllers regarding compliance with the Swiss framework. Unlike the EU-U.S. Privacy Shield, however, the Swiss Privacy Shield does not offer participating organizations a grace period to revise third-party controller agreements to meet this requirement. Certifying organizations will need to perform the due diligence necessary to ensure that all contracts with third-party controllers align with the Swiss Privacy Shield prior to self-certification.
  • Changes to Privacy Policy. In advance of self-certification, certifying organizations must review and revise existing privacy policies in order to (i) meet the relatively more stringent and specific notice provisions of the Swiss Privacy Shield,2 and (ii) ensure that all references to the Swiss Safe Harbor have been removed.
  • Revised definition of "Sensitive Data". Under the Swiss Privacy Shield, the definition of "Sensitive Data" under the "Choice" principle includes "ideological or trade union related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings."3 Certifying organizations should evaluate their existing data inventory and classification policies to determine (i) whether they collect such information, and (ii) if so, whether practices related to this type of information comport with the requirements of the Swiss Privacy Shield.
  • Binding Arbitration Option On-Hold. The Swiss Privacy Shield provides a binding arbitration option as the means for an individual to resolve residual claims regarding whether a certifying organization has violated its obligations under the Swiss Privacy Shield.4 The ITA and the SDPIC will not implement this binding arbitration option until the first annual review of the framework in 2018.5

Requirements for Self-Certification

Beginning on April 12, 2017 organizations can submit for self-certification on the Privacy Shield website, available here. Organizations that have already self-certified to the EU-U.S. Privacy Shield may do so for the Swiss Privacy Shield by logging into their existing Privacy Shield account, and selecting the Swiss Privacy Shield self-certification option. Those that previously joined the Swiss Safe Harbor will be automatically withdrawn from the prior framework, and the ITA Privacy Shield team will revise its record to reflect certification to the Swiss Privacy Shield.

As with the EU-U.S. Privacy Shield, the ITA has pledged to maintain and publish on the Swiss Privacy Shield website a "Privacy Shield List" of U.S. organizations that have self-certified to the Swiss Privacy Shield. Importantly, the names of organizations that fail to complete annual recertification requirements, voluntarily withdraw from the program, or persistently fail to comply with the Swiss Privacy Shield principles will also be published on the Swiss Privacy Shield website.

1 C 362/14 Maximillian Schrems v Data Protection Commissioner, 6 October 2015 (declaring the European Commission’s adequacy decision invalid on the ground that the Safe Harbor framework failed to provide adequate levels of protection to personal data transferred from the European Union to the United States).
2 See Swiss-U.S. Privacy Shield Framework, § 1 Notice Principle. Notice requirements of the Swiss Safe Harbor include "a declaration of the organization's participation in the Privacy Shield, a statement of the individual's right to access personal data, and the identification of the relevant independent dispute resolution body".
3 Swiss-U.S. Privacy Shield Framework, § 2 Choice Principle.
4 Swiss-U.S. Privacy Shield Framework, Annex I.
5 The Swiss Privacy Shield will be reviewed annually by the Swiss and U.S. governments to ensure that it provides and adequate level of protection for international transfers of Swiss personal data.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP
Contact
more
less

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.