Last month the United States Department of Commerce and Switzerland’s Federal Council declared that the new Swiss-US Privacy Shield Framework will be the successor to the Swiss-US Safe Harbor framework. The Swiss-US Safe Harbor framework was declared invalid in October 2015 following the European Union Court of Justice’s decision that the EU-US Safe Harbor was an inadequate legal mechanism for personal data transfers to the US. Since then, officials have drafted the new framework to ensure that the Swiss-US Privacy Shield Framework improves upon the U.S.- Swiss Safe Harbor framework by including stricter data protection principles. These include enhanced requirements around notice, onward transfers and data retention, improved management of the framework by US authorities, and new mechanisms for individuals to obtain recourse for violations.
While the replacement occurred immediately, the Department of Commerce will begin accepting certifications on April 12, 2017 so that organizations have time to review the new Swiss-US Privacy Shield Principles.
The mechanism for personal data transfers from member countries of the European Economic Area (EEA) is the EU-US Privacy Shield, and because Switzerland is not a member of the EEA, Swiss and US officials developed this separate agreement. Although the two agreements are separate, the Swiss-US Privacy Shield framework parallels the EU-US Privacy Shield framework in many ways. The Federal Council stated that “the fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.”
While the two agreements are similar in many ways, there are still some areas where the two agreements vary. Organizations should not assume that certification for EU-US Privacy Shield translates directly to certification for Swiss-US Privacy Shield. An assessment and verification should be conducted for an organization’s privacy posture against the new Swiss-US framework.
TRUSTe has assessment and verification solutions. As of February 2017, TRUSTe has helped over 350 companies with their EU-US Privacy Shield needs, and plans to provide Swiss-US assessments as well. To find out more, contact us.