Transatlantic Data Transfers: Swiss Privacy Shield Registration Is Now Open Transatlantic Data Transfers: Swiss Privacy Shield Registration Is Now Open

Transatlantic Data Transfers: Swiss Privacy Shield Registration Is Now Open

Starting on April 12, 2017, organizations that conduct transatlantic transfers of personal data can register for participation in the Swiss-U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield replaces the now-defunct U.S.-Swiss Safe Harbor Framework (“Swiss Safe Harbor”), and it creates a new legal mechanism for participants to transfer personal data from Switzerland to the United States in accordance with Swiss data protection obligations.

The Swiss Privacy Shield is extensively modeled after the EU-U.S. Privacy Shield Framework (“EU-U.S. Privacy Shield”) for transferring personal data from the European Economic Area (EEA) to the U.S.[1] Both the Swiss Privacy Shield and the EU-U.S. Privacy Shield contain requirements centered on the following principles: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement, and Liability. Under both frameworks, there are supplemental principles and special considerations for human resources (“HR”) data. Organizations that are subject to the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation are eligible to self-certify their commitment to the EU-U.S. Privacy Shield and the Swiss Privacy Shield.

Background

Under the EU Data Protection Directive,[2] organizations may transfer personal data only to those countries outside the EEA that ensure an “adequate level of protection” for the data. Before the EU-U.S. Privacy Shield was instituted last summer, organizations relied on three different methods to transfer personal data from the EEA to the U.S. while meeting the Directive’s adequacy requirement—standard contractual clauses, binding corporate rules, and participation in the EU-U.S. Safe Harbor Framework (“EU-U.S. Safe Harbor”).

Although standard contractual clauses and binding corporate rules remain viable means for facilitating cross-border data transfers, EU-U.S. Safe Harbor has been replaced by the EU-U.S. Privacy Shield. On October 6, 2015, the European Union Court of Justice declared in a landmark decision that EU-U.S. Safe Harbor was invalid because it did not sufficiently protect European personal data from surveillance by the U.S. government.[3] After EU-U.S. Safe Harbor was struck down, the U.S. and EU negotiated the EU-U.S. Privacy Shield as its replacement. The EU-U.S. Privacy Shield was formally approved by the European Commission in July 2016 as guaranteeing adequate protections for personal data. Since August 1, 2016, almost 2,000 organizations have registered to participate in the EU-U.S. Privacy Shield.

Similarly to the EU Data Protection Directive, the Swiss Federal Act on Data Protection permits cross-border transfers of personal data only to countries that have guaranteed “adequate” protections for the data. Organizations had been transferring Swiss personal data to the U.S. using model contracts or pursuant to Swiss-U.S. Safe Harbor, a framework that was comparable to EU-U.S. Safe Harbor. Following the invalidation of EU-U.S. Safe Harbor, Switzerland stated that it would begin renegotiating Swiss-U.S. Safe Harbor with U.S. officials. On January 12, 2017, the Federal Council of Switzerland announced that it approved the Swiss Privacy Shield as a viable replacement mechanism. Consequently, organizations can no longer rely on Swiss Safe Harbor to transfer personal data from Switzerland to the U.S.

Differences Between EU-U.S. Privacy Shield and Swiss Privacy Shield

Despite the EU-U.S. Privacy Shield and Swiss Privacy Shield imposing nearly identical requirements on organizations, there are a few key differences between the two frameworks. First, “sensitive data” is more broadly defined under the Swiss Data Privacy Shield to include “ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.” The definition of “sensitive data” is significant under both frameworks because organizations are required to obtain individuals’ affirmative, express consent (i.e., “opt-in” consent) to most uses and disclosures of sensitive personal data. Second, under the Swiss Privacy Shield, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) assumes the responsibilities that the EU Data Protection Authorities (DPAs) have under the EU-U.S. Privacy Shield. For instance, organizations may commit to cooperating with the FDPIC to fulfill the requirement of providing recourse for individuals who have complaints about the use or disclosure of their personal data. Third, the Swiss Privacy Shield does not currently include the binding arbitration option for individuals who have residual claims after partaking in independent dispute resolution of their complaints that is found in the EU-U.S. Privacy Shield. The binding arbitration option will be considered during the Swiss government’s first annual review of the framework’s effectiveness. Finally, the Swiss Privacy Shield does not offer a grace period for organizations to bring their commercial contracts into compliance with the “Accountability for Onward Transfers” principle.[4] Accordingly, it is important for organizations to update their contracts with third parties to whom they transfer Swiss personal data for processing, such as partners, vendors, and service providers, prior to self-certifying under the Swiss Privacy Shield.

Registration Process

An organization that is currently an EU-U.S. Privacy Shield participant may log into its Privacy Shield account at www.privacyshield.gov and click on the “self-certify” option to add its registration for the Swiss Privacy Shield. The organization can then complete the self-certification process. Further, the organization must pay a separate annual fee to the U.S. Department of Commerce’s International Trade Administration, which administers both Privacy Shield programs. Organizations must annually recertify their commitments to both frameworks. Note that the recertification deadline for both Privacy Shield programs will be one year from the date on which the first of its two certifications were finalized.
 
Organizations that are not currently EU-U.S. Privacy Shield participants have the option of registering for both Privacy Shield programs and paying the fees associated with each at the same time or registering for only one of the two programs. All registration fees are derived from a tiered fee schedule that is based on the organization’s annual revenue.

During the registration process for either Privacy Shield program, an organization will be asked to provide at least the following:

  • Copy of the organization’s Privacy Shield policy and the website address at which it is available (if the organization has a public-facing website)
  • If applicable, a copy of the organization’s Privacy Shield policy that addresses HR data and a narrative description of how the organization will make the notice available to its employees
  • Name and contact information of organization’s primary contact (i.e., the individual designated to handle complaints, access requests, and other Privacy Shield compliance issues)
  • Name and contact information of organization’s corporate officer (i.e., an individual who is authorized to submit the self-certification on behalf of your organization)
  • Organization’s annual revenue
  • Names of all U.S. entities or subsidiaries of the organization that are also covered under the self-certification
  • Information regarding whether the self-certification covers HR data
  • A brief narrative description of the purposes for which the organization processes personal data in reliance of the Privacy Shield, the types of personal data processed by the organization, and the types of third parties to which it discloses personal data
  • If applicable, the third-party independent recourse mechanism the organization has selected pursuant to the “Recourse, Enforcement, and Liability” principle
  • The U.S. statutory body that has jurisdiction over your organization with respect to Privacy Shield compliance (for instance, the FTC)
  • Verification method (i.e., self-assessment or outside compliance review) the organization has selected to satisfy the supplemental Privacy Shield principles
Preparing for Registration

Organizations will benefit from taking the following steps to prepare for self-certifying under one or both Privacy Shield programs:

  • Identify Personal Data Within the Organization. A critical step for organizations that seek to register for either Privacy Shield program is to inventory all the “personal data” within their enterprises that are subject to Privacy Shield requirements. Organizations should examine how they collect, maintain, and share personal data internally and with third parties. Additionally, organizations should classify any personal data as non-HR data, HR data, non-sensitive data, and sensitive data. Only after fully grasping how personal data enters and flows throughout their enterprises can organizations implement meaningful Privacy Shield compliance practices.
  • Develop and Implement Internal Policies and Procedures. Organizations should ensure that they have an internal infrastructure in place to support their compliance with the Privacy Shield principles. Among other things, the Privacy Shield principles require organizations to offer individuals the opportunity to “opt out” of particular uses and disclosures of their personal data, the chance to “opt in” to most uses of their sensitive personal data, the right to submit Privacy Shield complaints and receive responses within 45 days, and the right to access personal data about them and correct inaccuracies. Moreover, organizations must confirm they are not processing personal data in a manner inconsistent with the purpose for which the information was collected, and they must ensure the integrity of the personal data they collect. Organizations are encouraged to develop internal, written policies and procedures for adhering to these various Privacy Shield requirements and train relevant employees on them.
  • Develop a Written Data Security Program. Pursuant to the “Security” principle under the Privacy Shield, organizations must take “reasonable and appropriate measures” to protect personal data from “loss, misuse, and unauthorized access, disclosure, alteration, and destruction.” To ensure compliance with this principle, organizations are encouraged to develop comprehensive, written information security programs that delineate the administrative, technical, and physical safeguards that they will implement to protect personal data.
  • Create and Post Privacy Shield Policies. The “Notice” Privacy Shield principle requires organizations to make a notice (commonly referred to as a “Privacy Shield policy”) regarding its compliance with the Privacy Shield principles available to individuals whose personal data it collects. If an organization has a public-facing website, then it must ensure that a notice of its practices with respect to non-HR personal data is posted on the website. An organization that transfers HR personal data pursuant to the Privacy Shield must internally disseminate a notice of its practices related to such data to its employees. For example, the organization can post the notice on its company intranet website or include the notice in its employee handbook. The organization may create two notices that separately address non-HR personal data and HR personal data or a single, combined notice that covers both categories of personal data.
  • Evaluate and Update Contracts with Third Parties. Under the “Accountability for Onward Transfers” Privacy Shield principle, organizations must enter into written contracts with certain third parties to which they transfer personal data that obligate the third parties to appropriately protect the personal data. Thus, organizations should assess their existing vendor contracts, service provider contracts, and partner agreements to determine whether they involve “onward transfers” of personal data. The required language for these contracts vary according to whether the third parties can be classified as “agents” or data “controllers” within the meaning of the Privacy Shield frameworks, and organizations should update their third-party contracts accordingly. Organizations should also consider whether they engage in “onward transfers” of personal data to third parties with whom they do not have service contracts and, if so, enter into Privacy Shield data transfer agreements with those parties.
  • Select an Independent Recourse Mechanism. The “Recourse, Enforcement, and Liability” Privacy Shield principle requires organizations to select an “independent recourse mechanism” to which individuals can direct complaints about how their personal information has been handled. Organizations are free to select a private entity as an “independent resource mechanism,” and there are reputable providers of independent dispute resolution services from which they may choose. Alternatively, organizations may satisfy this Privacy Shield requirement by agreeing to cooperate with the EU DPAs or Swiss FDPIC to resolve complaints. With respect to complaints involving HR personal data, organizations are required to use the EU DPAs or Swiss FDPIC as the independent recourse mechanism.
  • Select a Verification Method. The “Verification” supplemental Privacy Shield principle requires organizations to verify whether they are actually complying with the Privacy Shield framework. Organizations have two options for fulfilling this requirement—they may either internally monitor their Privacy Shield compliance or retain an external resource to conduct an “outside compliance review.” Whether an organization chooses to perform a self-assessment or have an external entity conduct a compliance review, its corporate officer must sign an annual statement indicating that the “Verification” principle has been satisfied. These signed statements must be produced upon request by individuals or in the context of a complaint investigation by the independent recourse mechanism.
For more information, please contact Nick Merker, Deepali Doddi or another member of the Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] The European Economic Area consists of European Union (EU) member states and Iceland, Liechtenstein and Norway.
[2] See EU Data Protection Directive 95/46/EC.
[3] Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015.
[4] The EU-U.S. Privacy Shield, on the other hand, extended a nine (9)-month grace period for compliance with the onward transfer requirement to those organizations who registered within the first sixty days of the program’s launch.

View Full Site View Mobile Optimized