On 11 January 2017, the Federal Council of Switzerland announced that it had reached an agreement with the United States to replace the U.S.-Swiss Safe Harbor Framework for transferring personal data from Switzerland to the U.S. Was is the background?
The Swiss Federal Act on Data Protection (FADP) [Bundesgesetz über den Datenschutz (DSG)] went into effect in July 1993, followed by important modifications in January 2008. The FADP would prohibit the transfer of personal data to countries that do not meet Switzerland’s “adequacy” standard for privacy protection. While the United States and Switzerland share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by Switzerland. In order to bridge these differences in approach and provide a streamlined means for U.S. organizations to comply with the FADP, the U.S. Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a “safe harbor” framework and the associated website to provide the information an organization would need to evaluate – and then join – the U.S.-Swiss Safe Harbor program.
What killed Safe Harbor?
On October 6, 2015, the Court of Justice of the European Union, in Schrems v. Data Protection Commissioner, struck down the EU-U.S. Safe Harbor for failing to provide adequate assurances against indiscriminate government access to personal data transferred to the U.S. Following the invalidation of Safe Harbor, EU and U.S. officials negotiated its replacement, which was formally approved in July 2016. Since August 1st, more than 1400 companies have already enrolled in the EU-U.S. Privacy Shield.
When EU-U.S. Safe Harbor was invalidated, the FDPIC in Switzerland released a statement that, for the same reasons as in the EU, it did not consider Swiss Safe Harbor to provide adequate protection. The FDPIC also amended its List of states with adequate data protection legislation, which under the applicable law restricted transfers of personal data to the US. Interestingly, even though Swiss Safe Harbor no longer provided the adequate protection sought, for pragmatic reasons it was never formally withdrawn from use, waiting for such a time as its successor could be unveiled.
Long live Privacy Shield
The FDPIC stated on 11 January 2017 that it considers that the new framework guarantees an adequate level of data protection. On 12 January 2017, it amended the List of states with adequate data protection legislation, moving the U.S. from “insufficient level” to “sufficient level under certain conditions”. However, in a statement dated 11 January 2017, the FDPIC reserved its right, following the annual evaluations of Privacy Shield, to revise its List in view of actual implementations, stressing that the review will take account of Swiss and EU court judgments.
The new agreement thus alleviates the concerns expressed by the FDPIC and restores greater certainty in transfers from Switzerland to the U.S. – at least for now.
What’s new under the Swiss Privacy Shield framework?
In general, the new framework is comparable to the EU-U.S. Privacy Shield, which was approved in July 2016.
Privacy Shield introduces changes both to the substantive principles organisations must adhere to as well as to the framework’s enforcement and recourse mechanisms. In addition, Privacy Shield introduces commitments, not present under Safe Harbor, to limit U.S. government access to personal data for national security purposes.
The definition of sensitive data under the Choice Principle is modified slightly from the EU-U.S. Privacy Shield under the Swiss-U.S. Privacy Shield, including ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
Changes to the Privacy Principles
For organisations, the most significant changes in the Swiss-U.S. Privacy Shield surround the principles of notice, onward transfers and data retention.
- Notice: Privacy Shield introduces significant new requirements around the content of the notice that must be provided to individuals. In particular, organisations will be required to inform individuals about the types of personal data collected, the purposes of collection, the entities or subsidiaries of the organisation also adhering to the Shield, as well as an individual’s rights to access the data, exercise choice concerning its use and disclosure, and complain to independent dispute resolution bodies or invoke binding arbitration in the event of a dispute.
- Onward transfers: One of the most important changes in Privacy Shield is the expansion of accountability for onward transfers of personal data to third parties. A certified organization may transfer data to a third party only if the transfer is governed by contract, regardless of whether the third party is Shield-certified as well. The contract must limit processing to the terms of the data subject’s consent and hold the third party to the same standards promised by the certified organization.
Privacy Shield also requires a certified organization to “take reasonable and appropriate steps” to ensure that the third party processes the data consistent with the Privacy Shield Principles and to “take reasonable and appropriate steps to stop and remediate unauthorized processing”. In addition, the third party has a duty to notify the certified organisation if it can no longer meet its obligations. The certified organization, however, remains liable for any downstream third-party processing, unless it can prove that it is “not responsible for the event giving rise to the damage”.
- Data retention: Privacy Shield imposes an obligation on organisations to retain information only for as long as it serves the original purposes for which it was collected or a “compatible” secondary purpose. However, an organisation may retain the data for longer if it is no longer personally identifiable “given the means of identification reasonably likely to be used”. Moreover, an organisation is bound to uphold the Privacy Shield Principles for as long as it holds data it received while certified, even after the certification lapses.
New enforcement, recourse and dispute resolution mechanisms
The Swiss-U.S. Privacy Shield introduces detailed mechanisms for recourse and dispute resolutions as well as for verification of compliance with the Privacy Shield Principles. Organisations will need to implement processes for the expeditious handling of complaints in order to obtain the approval of the DOC, including by appointing third party dispute resolution bodies that are empowered to provide individual remedies. Moreover, all independent recourse mechanisms shall be provided at no cost to the individual.
Cooperation between the DOC and the FDPIC will be intensified, and the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data to the U.S.
Moreover, a Swiss-U.S. Shield-certified organisation will be required to demonstrate compliance with the Principles either through a yearly self-assessment, signed by a corporate officer, or by engaging an outside party for an annual compliance review.
Commitments to refrain from indiscriminate government access
In addition to new requirements on organisations that certify to Swiss-U.S. Privacy Shield, the agreement also contains certifications from high-level U.S. officials on the limits to government access to personal data for national security purposes. Swiss residents will have recourse to an Ombudsman, lodged within the U.S. Department of State, to investigate any complaints of improper government access.
In domestic criminal investigations, the Fourth Amendment generally requires law enforcement officers to obtain a court-issued warrant before conducting a search. When the warrant requirement does not apply, government activity is subject to a “reasonableness” test under the Fourth Amendment. The Constitution itself, therefore, ensures that the U.S. government does not have limitless, or arbitrary, power to seize private information.