The United States and Switzerland have finalized a Swiss-U.S. Privacy Shield Framework that is nearly identical to the EU-U.S. Privacy Shield. The Swiss Shield codifies the requirements of Article 6 of the Swiss Federal Act on Data Protection. To be eligible for self-certification, organizations must be subject to the investigatory and enforcement powers of the FTC or the Department of Transportation. Switzerland may recognize other statutory bodies that will enforce compliance with the Principles in an annex in the future.
The Swiss-U.S. Privacy Shield applies the same principles as the EU-U.S. Privacy Shield with a few exceptions, most notably:
- The Swiss Shield is regulated by the Swiss Federal Data Protection and Information Commissioner’s Authority (instead of EU DPAs).
- The definition of Sensitive Data is broader under the Swiss Shield, as it includes “ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.”
- At the first annual review, the Department of Commerce and the Swiss Government will implement a binding arbitration option under the Swiss Shield.
Companies may register under the Swiss-U.S. Privacy Shield starting April, 12 2017. The principles are enforceable immediately upon certification.
To prepare to certify under the Swiss Shield, companies that will receive personal data from Switzerland should:
- Review privacy practices for compliance with the principles of the Shield.
- Revise privacy practices in accordance with the principles.
- Select an independent recourse mechanism.
- Revise and update privacy policies in accordance with the principles, including removing references to Swiss-U.S. Safe Harbor when appropriate.
- On or after April 12, 2017 complete the self-certification on the Department of Commerce’s Privacy Shield website.
Important notes for companies already certified under the EU-U.S. Privacy Shield
- You can log into your existing Privacy Shield account and click on “self-certify” to add the Swiss-U.S. Privacy Shield Framework.
- The recertification date for both the Swiss-U.S. and EU-U.S. Frameworks will be one year from the date the first certification was finalized.