In July 2016, the European Commission formally adopted the EU-US Privacy Shield replacing the Safe Harbor Framework (see our news 13.07.2016). On 11 January 2017, the Swiss Federal Council announced the establishment of the Swiss-US Privacy Shield (see our news from 12.01.2017). As of 12 April 2017, self-certification is open to US organisations (see our news from 12.04.2017).
The Swiss Federal Data Protection and Information Commissioner (the Commissioner) has now published a short information relating to data transfers under the Swiss-US Privacy Shield (see here). In a nutshell, the Commissioner draws attention to the following:
- Transfers of personal data from Switzerland to organisations based in the US are only facilitated if the latter are self-certified under the Swiss-US Privacy Shield and thus recognise the Commissioner as supervisory body. Certifications under the EU-US Privacy Shield are not a sufficient basis for transfers of personal data from Switzerland to the US.
- Before transferring personal data to the US, Swiss organisations shall check whether a receiving US organisation is self-certified under the Swiss-US Privacy Shield (cf. Privacy Shield List of the US Department of Commerce; use the “advance” search button in order to refine the search specifically to the Swiss-US Privacy Shield).If such recipient is not self-certified, the transfer must be based on other safeguards, such as in particular EU model clauses adapted to Swiss law requirements or binding corporate rules.
- Authorities cannot self-certify under the Swiss-US Privacy Shield.
- In order to be legitimised to self-certify, an US organisation must be subject to the US Federal Trade Commission (FTC)’s and US Department of Transportation (DOT)’s supervision. Banks, insurance companies and telecommunications companies are generally not permitted to self-certify under the Swiss-US Privacy Shield.