Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).
Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.
Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.
While the requirements of the two frameworks are nearly identical, there are a few differences:
The EU Data Protection Authorities’ Swiss counterpart, Swiss Federal Data Protection and Information Commissioner (FDPIC), is given the same authority in the Swiss Privacy Shield, as the DPAs are given under the Privacy Shield.
For instance, under the Swiss Privacy Shield, an organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the FDPIC.
With respect to Swiss HR data received for use in the context of the employment relationship, organizations must commit to cooperation and compliance with the advice of the FDPIC. Under the Privacy Shield, the comparable commitment is to cooperate with the EU DPAs.
The definition of “sensitive data” under the Choice Principle is modified under the Swiss Privacy Shield to include “ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.”
At the first annual review, the Department of Commerce will work with the Swiss Government to put in place the binding arbitration option in Annex I of the Swiss Privacy Shield Framework.
Importantly, the Swiss Privacy Shield does not allow for a grace period to revise third-party contracts in compliance with the Privacy Principles. Last year, early Privacy Shield adopters were given a nine-month grace period to bring their third-party contracts in compliance, and for many organizations that time is still running. Practically speaking, those companies that plan to also certify under the Swiss Privacy Shield may hasten their grace period in order to comply with both frameworks.
As the Swiss Privacy Shield enters into force, the Privacy Shield continues to face criticism in the EU, including two separate challenges that have been lodged against the EU framework with the Court of Justice since September 2016, arguing that the framework fails to appropriately address the concerns raised by the Schrems judgment that toppled the U.S.–EU Safe Harbor on October 6, 2015. Additionally, President Trump’s week-old Executive Order affecting foreigners’ access to the Privacy Act may represent a unique challenge to the EU framework, adding to the criticism. This year, personal data transfers from the EU and Switzerland will remain an area to be closely monitored by U.S. companies striving to achieve compliance.