On January 11, 2017, the US and Swiss authorities announced their agreement on a new cross-border data transfer framework, the Swiss-US Privacy Shield Framework, to allow US companies to meet the requirements for transfers of personal data from Switzerland to the US.
This new Framework, which will replace the existing US-Swiss Safe Harbor program, will begin accepting self-certifications from US companies starting on April 12, 2017.
The Framework requirements were described by Swiss authorities as aligning with those agreed to between the US and EU authorities for the EU-US Privacy Shield Framework, and the Principles governing the two frameworks mirror each other: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability. This alignment should mean that companies that are eligible for EU-US Privacy Shield certification will likely also be eligible for US-Swiss Privacy Shield certification, provided that they perform appropriate due diligence and compliance on Swiss to US data flows, similar to what was accomplished by the twin Safe Harbor programs.
For companies that have existing US-Swiss Safe Harbor certifications, self-certification to this new Framework will also address the uncertainty related to personal data transfers under that program, the validity of which was called into question by the Swiss data protection authority shortly after the invalidation of the US-EU Safe Harbor program and which the Swiss Federal Council has just formally terminated.
The Swiss authorities stated in their announcement that US companies can start the certification process with the US Department of Commerce within a three month period (from now until April 12, 2017), during which the Swiss data protection authority will not undertake enforcement actions against them.
Contributors: Amy de la Lama, Michael Egan and Harry Valetk