The governments of Switzerland and the United States finalised the Swiss-U.S. Privacy Shield Framework on 11 January. The Framework is similar in many respects to the EU-U.S. Privacy Shield, and replaces the U.S.-Swiss Safe Harbor Framework with immediate effect.
The new Swiss-U.S. Privacy Shield Framework (Framework) will enable certified companies to carry out data transfers between the two countries in compliance with Swiss data protection laws. The Framework deliberately mirrors the EU-U.S. Privacy Shield to provide consistency – with the Swiss Federal Council pointing to this as a significant measure as “it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.”
The Framework replaces the U.S.-Swiss Safe Harbor Framework, the validity of which has been doubted following the invalidation of the U.S.-EU Safe Harbor regime by the Court of Justice of the European Union in October 2015.
The Framework is designed to be more robust than its predecessor in a number of ways. In particular:
- Certified companies will be under stricter obligations to protect data, and to provide certain information to data subjects
- There will be greater cooperation between the U.S. Commerce Department and the Swiss data protection regulator
- Certified companies must provide free and accessible dispute-resolution mechanisms, including the ability for data subjects to raise complaints directly with the company, or to submit them to binding arbitration
U.S. companies wishing to certify under the new U.S.-Swiss Privacy Shield can begin the certification process from 12 April this year. Once certified, Switzerland will recognise these companies as having adequate data protection standards. In turn, this will allow most Swiss companies to transfer the personal data that they collect to certified U.S. business partners without requiring additional contractual guarantees.
The Swiss-U.S. Privacy Shield Framework will ensure that Swiss data subjects benefit from the same level of protection as their European counterparts. Meanwhile, the future of the EU-U.S. Privacy Shield hangs in the balance, with challenges to its adequacy pending before the CJEU.