Swiss-US Privacy Shield: New Framework for the Transfer of Data to the USA

Susanne Hofmann Data Protection Officer, PwC Switzerland and Liechtenstein 16 Jan 2017

The so-called Swiss-US Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA. The agreement establishes a new regulatory framework for the transmission of personal data from Switzerland to certified companies domiciled in the US. The same standards will apply for Swiss transfers of personal data to the USA as for data transfers from the EU.

Swiss data protection legislation stipulates specific requirements for the transfer of personal data abroad. They protect the personality and the rights of the data subjects concerned. However, the US is not deemed to provide an adequate level of data protection in terms of Swiss law. Swiss companies therefore have to take specific measures to safeguard personal data when it is transferred to the US.

Until recently, Swiss companies could rely on the Swiss-US Safe Harbor Agreement. After the Court of Justice of the European Union declared the EU-US Safe Harbor Agreement invalid, the Swiss Federal Data Protection and Information Commissioner (FDPIC) put the Swiss-EU Safe Harbor Agreement into question.

In August 2016, the EU and USA put into place a successor agreement, the EU-US Privacy Shield. Switzerland also entered into negotiations with the USA, which resulted in the Swiss-US Privacy Shield.

Enhancing the Application of Data Protection Principles, New Tasks for the FDPIC

The agreement is expected to substantially improve the position of those concerned by personal data transfers. The application of data protection principles by participant companies should be enhanced, as should the management and supervision of the framework by the US authorities. Cooperation between the US Department of Commerce (DOC) and the Federal Data Protection and Information Commissioner (FDPIC) should be intensified. The persons concerned are being given specific instruments to enable them to find out about data processing directly from certified US companies or the competent authorities, and to ensure that any required corrections or deletions are made. For example, the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data.

Same Conditions as in the EU for the Transmission of Personal Data to the US

The new regulatory framework corresponds to the solution adopted by the USA and the EU and implemented within the European Economic Area (EEA) – the EU-US Privacy Shield. The similarity is highly significant, as it guarantees the same framework conditions for persons and businesses in Switzerland and the EU/EEA area in relation to transatlantic data flows. The same standards therefore apply for Swiss personal data transfers to the USA as for data transfers from the EU. This increases legal certainty in commercial transactions and reduces additional costs for the economy.

Need for Action for Companies

US companies can start the certification process with the DOC three months after the finalization of the agreement. Interested US companies are advised to obtain a Privacy Shield Certificate from the DOC. Swiss companies should make sure that their US partners possess such a certificate. These conditions are essential for Swiss companies to submit personal data to the US without requiring additional contractual guarantees. Furthermore, companies should review their current contractual basis for data transfers to the US and adapt it to the Swiss-US Privacy Shield where required.

Share this post:      

Contact

Susanne Hofmann

Data Protection Officer, Zurich, PwC Switzerland and Liechtenstein

+41 58 792 17 12

Email

Contact us

Stefan Haag

Stefan Haag

Director, Corporate Reporting Services, PwC Switzerland

Tel: +41 58 792 71 29

Bruno Gmür

Bruno Gmür

Technical Partner Financial Services Banking, PwC Switzerland

Tel: +41 58 792 7317