On January 11, U.S. and Swiss authorities announced final agreement on the Swiss-U.S. Privacy Shield Framework. The Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland. The Framework is a successor to the former Swiss-U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of Safe Harbor by the European Court of Justice.
U.S. companies may participate in the Framework through an application to the International Trade Association in the U.S. Department of Commerce. Starting April 12, U.S. companies may make an application self-certifying their compliance with Swiss-U.S. Framework Principles. More information will be provided at https://www.privacyshield.gov.
The Swiss-U.S. Privacy Shield Framework is modelled off of the EU-U.S. Privacy Shield Framework approved by the EU Commission in July last year. The Swiss and EU Privacy Shield Framework principles are largely identical. However, the principles reflect a slight difference in the definition of “sensitive information,” an important concept under both the EU and Swiss Frameworks. Unlike the EU-U.S. Framework, the Swiss Framework expressly includes within its definition of “sensitive information” any “information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.” This expanded Swiss definition could impact companies who certify their compliance under the Swiss-U.S. Framework. For example, these companies may need to implement further measures to secure opt-in consent if such “sensitive information” is shared with third parties or used for purposes which were not clear at the time of original collection.
The formerly adopted EU-U.S. Privacy Shield Framework extended only to members of the European Economic Area (EEA). U.S. and Swiss officials sought a separate Privacy Shield agreement since Switzerland is not a member of the EEA. As explained previously on this blog, the EU-U.S. Privacy Shield now faces legal challenge before European courts. It is not clear whether the new Swiss-U.S. Privacy Shield framework could eventually face a similar legal challenge.