Companies transferring data from Switzerland to the US should take note: the Swiss-US Privacy Shield has arrived!
Why Should You Care?
Global companies that transfer personal information—specifically, the transfer of Swiss individuals’ personal information, from Switzerland to the US—must have a legal mechanism in place for doing so. The Privacy Shield provides an enforceable mechanism that the EU and Swiss governments have deemed adequate. The Swiss-US Privacy Shield complements the EU-US Privacy Shield, which applies only to European Economic Area (EEA) member countries.
What Do You Need to Know?
- The Swiss-US Privacy Shield largely mirrors the EU-US Privacy Shield. It has 7 main requirements surrounding the following familiar privacy principles: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. For a summary of the EU-US Privacy Shield, please find our previous alert covering it here. US companies could be subject to an FTC or court order if they choose to participate in the Shield, but fail to comply with its requirements.
- There is a major difference in the definition of sensitive information. Departing from the EU-US Privacy Shield, the Swiss-US Privacy Shield expressly includes within its definition of “sensitive information” any ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions. This expanded definition of sensitive information could affect companies that intend to certify their compliance under the Swiss-US Privacy Shield, as they may need to implement additional measures to safeguard the additional data types that are considered sensitive under the Swiss-US Privacy Shield.
- There are also minor differences between the EU and Swiss Privacy Shield. For example, the Swiss FDIC’s authority substitutes for that of the EU DPAs’ authority. Also, at the first annual review, the Department of Commerce will work with the Swiss Government to put in place the binding arbitration option that is available under the EU-US Privacy Shield.
The text of the Swiss-US Safe Harbor is available here.
Organizations can begin self-certifying their compliance to the Swiss-US Privacy Shield on April 12, 2017, by going on privacyshield.gov. We note that as the Swiss-US Privacy Shield is being rolled out, the EU-US Privacy Shield faces at least two separate challenges, alleging that the new agreement fails to address the concerns that were raised by the ECJ during the US-EU Safe Harbor’s invalidation. It remains to be seen how these challenges will affect both the EU-US and Swiss-US Privacy Shields.
Arent Fox’s Cybersecurity & Data Protection group monitors developments in the data protection field. For more information, please do not hesitate to contact Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.