Last year the U.S. Department of Commerce and the European Commission agreed on a data transfer protocol that provides a mechanism for compliance with data protection requirements when transferring personal data from the EU to the U.S. But, because Switzerland is not a member of the EU, U.S. companies who had certified compliance with the EU-U.S. Privacy Shield still had to comply with all Swiss data protection and privacy requirements, separate and apart from those in the Privacy Shield. However, U.S. companies can now breathe a sigh of relief: Switzerland and the U.S. have agreed to a data transfer protocol that, in large measure, mirrors that reached between the U.S. and the EU last year.
Like the EU-U.S. Privacy Shield, the U.S.-Swiss Privacy Shield provides U.S. companies with a single mechanism for complying with Swiss data protection and privacy laws when transferring data from Switzerland to the U.S. Although the U.S.-Swiss Safe Harbor was never officially struck down by European courts, its provisions were parallel to those found in the EU-U.S. Safe Harbor. Thus, the demise of the EU-U.S. Safe Harbor in October 2015 signaled serious trouble for the U.S.-Switzerland Safe Harbor.
The new U.S.-Swiss Privacy Shield, like the U.S.-Swiss Safe Harbor, largely parallels the protections offered by the EU-U.S. Privacy Shield:
- Both agreements impose stronger obligations on U.S. companies that transfer data from Europe to the U.S. to protect the privacy of EU and Swiss citizens;
- Both require the Commerce Department and Federal Trade Commission to undertake more robust monitoring and enforcement of those obligations in conjunction with EU and Swiss data protection authorities on complaints;
- Both allow EU and Swiss citizens to raise complaints about the use of their data through different mechanisms, including communicating directly with the company about commercial misuse concerns;
- Both allow EU and Swiss citizens to report complaints to an ombudsman over the use of their data in connection with U.S. national security practices; and
- Both include assurances from the U.S. government that the U.S. law enforcement and intelligence communities will not have unfettered access to EU and Swiss citizen data.
The EU-U.S. Privacy Shield has faced legal challenges filed by several European privacy organizations and government officials, which have challenged its efficacy in protecting consumer data. Because of its strong parallels to the EU-U.S. Privacy Shield, the new U.S.-Swiss Privacy Shield will likely face similar scrutiny. Thus, it remains to be seen whether this new pact, like its predecessor, will survive legal review.
For now, the U.S.-Swiss Privacy Shield remains an excellent, regulator-approved way to ensure the transfer of Swiss citizens’ personal data from Switzerland to the U.S. meets the privacy and data protection requirements of Swiss data protection authorities.
The similarity of the two agreements also means that companies that do business across Europe need not treat data obtained from the EU and Switzerland differently (keeping costs and difficulties to a minimum and aiding in compliance).
And although concerns remain as to the viability of the EU-U.S. Privacy Shield (and now its U.S.-Swiss counterpart), more than 700 companies, including Google and Microsoft, have already signaled compliance with the EU-U.S. since registration first became available some six months ago.
Companies interested in joining the U.S.-Swiss Privacy Shield can begin registration on April 12, 2017. If interested, please contact your cyber security professional or the cyber security department at Thompson Coburn, LLP.