On January 11, 2017, the Swiss Federal Council and the U.S. International Trade Administration (ITA) announced that the Swiss-U.S. Privacy Shield will replace the U.S.-Swiss Safe Harbor Framework to permit U.S. businesses to transfer personal data from Switzerland to the U.S. in compliance with Swiss data protection laws. The validity of the U.S.-Swiss Safe Harbor Framework had been called into question ever since its European Union counterpart, the U.S.-EU Safe Harbor Framework, was invalidated by the European Court of Justice in October of 2015.
The Swiss-U.S. Privacy Shield is modeled after the EU-U.S. Privacy Shield, which went into effect in July of 2016, and will require U.S. employers currently relying on the U.S.-Swiss Safe Harbor Framework to adhere to stricter privacy principles, create new data transfer policies and procedures, and be subject to greater enforcement and supervision by U.S. and Swiss authorities. U.S. employers will be able to self-certify for the Swiss-U.S. Privacy Shield on the ITA website beginning April 12, 2017.
Next Steps for Employers
U.S. employers relying on the U.S.-Swiss Safe Harbor Framework must remove all references to the outgoing framework and find an alternative legal mechanism to transfer human resources data from Switzerland to the U.S. Because the Swiss-U.S. Privacy Shield is modeled after the EU-U.S. Privacy Shield, employers that self-certified under the EU-U.S. Privacy Shield can simply revise their privacy shield programs to reference the Swiss-U.S. Privacy Shield and Swiss law and enforcement authorities. Other employers may want to create compliant policies, procedures, and redress mechanisms to self-certify for the Swiss-U.S. Privacy Shield.
Alternatively, employers can opt to use legal mechanisms other than the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland. Currently, the Swiss Federal Data Protection Act permits data transfers under several recognized contracts, including the EU’s standard contractual clauses, the Council of Europe’s model contract for safeguarding data protection in cross-border transfers, and the Swiss Federal Data Protection and Information Commissioner’s (FDPIC) model contract for outsourcing data processing abroad. However, given the fact that the validity of the EU’s standard contractual clauses is currently under legal challenge, employers may want to use the Council of Europe and FDPIC contracts.