This alert was written in collaboration with Stéphanie Chuffart-Finsterwald, associate in the Geneva office of BianchiSchwald LLC.
On 11 January 2017, the Federal Council of Switzerland announced that it had reached an agreement with the United States to replace the U.S.-Swiss Safe Harbor Framework for transferring personal data from Switzerland to the U.S.
The new agreement, titled the Swiss-U.S. Privacy Shield, will establish comparable protections for data transferred to the US as those secured by the European Union under the EU-U.S. Privacy Shield. In particular, these additional protections include enhanced requirements around notice, onward transfers and data retention, as well as commitments by US officials to restrict government access and new mechanisms for individuals to obtain recourse for violations.
While the new framework will replace the Swiss Safe Harbor "immediately", organisations will be able to sign up with the U.S. Department of Commerce ('DOC') only as of 12 April 2017. Following finalisation of the Swiss-U.S. Privacy Shield, US organisations can start the certification process with the DOC within a 3-month period, during which the Swiss data protection authority, the Federal Data Protection and Information Commissioner ('FDPIC'), will not undertake enforcement actions.
What was Swiss Safe Harbor?
Like in the EU, the Federal Act on Data Protection ('FADP') in Switzerland restricts the transfer of personal data to countries that do not guarantee "adequate protection". In 2009, because the U.S. does not have comprehensive data protection legislation equivalent to the FADP, Switzerland and the US negotiated the creation of the Swiss Safe Harbor arrangement, similar to the EU-U.S. Safe Harbor, to safeguard the flow of personal data to U.S. organisations.
Swiss Safe Harbor is a set of privacy principles around notice, choice, access, security, integrity, onward transfers and enforcement administered by the U.S. DOC. Organisations can self-certify to these principles by registering with the DOC and publicly declaring their certification in a privacy notice. As a result, an organisation's commitment is binding and enforceable by the Federal Trade Commission in the U.S., under its authority over unfair and deceptive trade practices.
What's new in Swiss Privacy Shield?
The U.S.-Swiss Privacy Shield Framework is available on the FDPIC’s website.
In general, the new framework is comparable to the EU-U.S. Privacy Shield, which was approved in July 2016.
As explained in previous client alerts, Privacy Shield introduced changes both to the substantive principles organisations must adhere to as well as to the framework's enforcement and recourse mechanisms. In addition, Privacy Shield introduced commitments, not present under Safe Harbor, to limit U.S. government access to personal data for national security purposes.
Changes to the Privacy Principles
For organisations, the most significant changes in the EU-U.S. Privacy Shield surround the principles of notice, onward transfers and data retention.
- Notice: Privacy Shield introduces significant new requirements around the content of the notice that must be provided to individuals. In particular, organisations will be required to include inform individuals about the types of personal data collected, the purposes of collection, the entities or subsidiaries of the organisation also adhering to the Shield, as well as an individual's rights to access the data, exercise choice concerning its use and disclosure, and complain to independent dispute resolution bodies or invoke binding arbitration in the event of a dispute.
- Onward transfers: One of the most important changes in Privacy Shield is the expansion of accountability for onward transfers of personal data to third parties. A certified organization may transfer data to a third party only if the transfer is governed by contract, regardless of whether the third party is Shield-certified as well. The contract must limit processing to the terms of the data subject’s consent and hold the third party to the same standards promised by the certified organization.
Privacy Shield also requires a certified organization to "take reasonable and appropriate steps" to ensure that the third party processes the data consistent with the Privacy Shield Principles and to "take reasonable and appropriate steps to stop and remediate unauthorized processing". In addition, the third party has a duty to notify the certified organisation if it can no longer meet its obligations. The certified organization, however, remains liable for any downstream third party processing, unless it "not responsible for the event giving rise to the damage".
- Data retention: Privacy Shield imposes an obligation on organisations to retain information only for as long as it serves the original purposes for which it was collected or a "compatible" secondary purpose. However, an organisation may retain the data for longer if it is no longer identifiable "given the means of identification reasonably likely to be used". Moreover, an organisation is bound to uphold the Privacy Shield Principles for as long as it holds data it received while certified, even after the certification lapses.
New enforcement, recourse and dispute resolution mechanisms
The Swiss-U.S. Privacy Shield introduces detailed mechanisms for recourse and dispute resolutions as well as for verification of compliance with the Privacy Shield Principles. Organisations will need to implement processes for handling complaints in order to obtain the approval of the DOC, including by appointing third party dispute resolution bodies that are empowered to provide individual remedies.
Cooperation between the DOC and the FDPIC will be intensified, and the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data to the U.S.
Moreover, a Swiss-U.S. Shield-certified organisation will be required to demonstrate compliance with the Principles either through a yearly self-assessment, signed by a corporate officer, or by engaging an outside party for an annual compliance review.
Commitments to refrain from indiscriminate government access
In addition to new requirements on organisations that certify to Swiss-U.S. Privacy Shield, the agreement also contains certifications from high-level U.S. officials on the limits to government access to personal data for national security purposes. Swiss residents will have recourse to an Ombudsman, lodged within the U.S. Department of State, to investigate any complaints of improper government access.
Why was Swiss Privacy Shield necessary?
On October 6, 2015, the Court of Justice of the European Union, in Schrems v. Data Protection Commissioner, struck down the EU-U.S. Safe Harbor for failing to provide adequate assurances against indiscriminate government access to personal data transferred to the U.S. Following the invalidation of Safe Harbor, EU and U.S. officials negotiated its replacement, which was formally approved in July 2016. Since August 1st, more than 1400 companies have already enrolled in the EU-U.S. Privacy Shield.
When EU-U.S. Safe Harbor was invalidated, the FDPIC in Switzerland released a statement that, for the same reasons as in the EU, it did not consider Swiss Safe Harbor to provide adequate protection. The FDPIC also amended its List of states with adequate data protection legislation, which under the applicable law restricted transfers of personal data to the US.
The FDPIC stated on 11 January 2017 that it considers that the new framework guarantees an adequate level of data protection. On 12 January 2017, it amended the List of states with adequate data protection legislation, moving the U.S. from “insufficient level” to "sufficient level under certain conditions". However, in a statement dated 11 January 2017, the FDPIC reserved its right, following the annual evaluations of Privacy Shield, to revise its List in view of actual implementations, stressing that the review will take account of Swiss and EU court judgments.
The new agreement thus alleviates the concerns expressed by the FDPIC and restores greater certainty in transfers from Switzerland to the U.S. – at least for now.
Dark clouds on the horizon for international data transfers
At the same time as Swiss Privacy Shield is being unveiled, its EU counterpart faces an uncertain future. Two separate challenges to the EU-U.S. Privacy Shield have been lodged with the Court of Justice since September 2016, alleging that the new agreement fails to address the concerns that were raised in the Schrems judgement.
These actions complement an equivalent challenge to Standard Contractual Clauses ('SCCs') that is winding its way through the Irish courts and is likely also to be referred to the Court of Justice. Switzerland, like the EU, permits the use of SCCs to safeguard international data transfers. Thus, for the foreseeable future, this will remain an area to watch closely.