US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.
Although Switzerland is not a member of the European Union, its data protection law (Federal law of 19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat, in particular in the absence of a legislation that ensures an “adequate level of protection”, a concept which is also used in the Directive.
Swiss authorities have set out a list of countries that afford an adequate level of protection but the US is not on the list and therefore, for businesses who want to transfer data to the US, they have to adopt one of the available “transfer tools”.
For transfers between the EU and the US, the EU-US Privacy Shield has now replaced the invalidated Safe Harbor. The Swiss Safe Harbor was not invalidated, but there is now a Swiss-US Privacy Shield which will work in the same way as the EU-US Privacy Shield:
- businesses which want to transfer personal data to the US must make a number of undertakings which reflect the obligations provided under the Directive,
- it is a self-certification process,
- a new arbitration body will handle claims,
- an ombudsman will address concerns about intelligence services and
- the FTC is expected to play a key role in the enforcement of the Shield.
One important difference, however, is that the Swiss-US Privacy Shield was not negotiated by the European Commission, but by the Swiss authorities and can therefore not be challenged before the European Court of Justice. The challenges currently pending before the Court against the EU-US Privacy Shield should therefore not directly and immediately impact the Swiss Shield.
The US Department of Commerce will begin accepting certifications under the Swiss-US Privacy Shield on April 12, 2017.