Q1: Can a Privacy Shield participant rely on the Swiss-U.S. Privacy Shield Framework to receive personal data from Switzerland in light of the July 16, 2020 decision by the Court of Justice of the European Union (CJEU)? 

  • The Swiss-U.S. Privacy Shield Framework remains a valid mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. On that same day the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued a statement noting, among other things, that the “FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course.”
  • As U.S. Secretary of Commerce Wilbur Ross noted on July 16, 2020, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” 
  • If you have questions, please contact the FDPIC or legal counsel.

Q2: How can an organization that is already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield?
  • If your organization has already self-certified to the EU-U.S. Privacy Shield Framework, the organization can log into to its Privacy Shield account and click on “self-certify”. The option will then be available to add the Swiss–U.S. Privacy Shield Framework and other relevant information to your self-certification, such as a recourse mechanism.
  • All organizations that add the Swiss-U.S. Privacy Shield Framework will be required to pay a separate annual fee to the U.S. Department of Commerce’s International Trade Administration (ITA) in order to participate. The cost of self-certifying to the second Framework is half the cost of self-certifying to the first Framework. Information on the fee schedule is available here.
  • Please note that an organization’s re-certification date for both the Swiss-U.S. and EU-U.S. Frameworks will be based on the date the first of its two certifications was finalized.

Q3: How can an organization that is not already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield or both frameworks?
  • To self-certify to one or both Frameworks, organizations can click on the "Self-Certify" link on this website, create a profile, and then choose whether to certify to one or both frameworks.
  • Note that on July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. 

Q4: Does an organization that participated in the U.S.-Swiss Safe Harbor need to update its privacy policy before self-certifying to Privacy Shield?
Q5:  Does the Department of Commerce have sample language that can be used in an organization’s privacy policy to refer to its participation in the Privacy Shield?
  • Yes. The following language is acceptable for this purpose if an organization is participating in only the Swiss – U.S. Privacy Shield Framework:
    • (INSERT your organization name) complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the Switzerland to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
  • If an organization is participating in both the EU-U.S.  and the Swiss-U.S. Privacy Shield Frameworks, the following language is acceptable:
    • (INSERT your organization name) complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Q6: What are the differences between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
  • Other than as discussed in Q1, the Principles under the two frameworks align, with a few exceptions, including:
    • The Swiss Federal Data Protection and Information Commissioner’s authority substitutes for that of the EU DPAs’ authority throughout the Swiss-U.S. Privacy Shield compared to the EU-U.S. Privacy Shield.  For instance, under the Swiss-U.S. Privacy Shield, an organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the Swiss Federal Data Protection and Information Commissioner. When covering HR data received from Switzerland for use in the context of the employment relationship, organizations must commit to cooperate with and comply with the advice of the Commissioner. There is no fee associated with the commitment to cooperate and comply with the Swiss Commissioner. Under the EU-U.S. Privacy Shield, the comparable commitment is to cooperate with the EU DPAs, which requires an annual fee of US $50 to cover the operating costs of the EU DPA panel.
    • That the definition of sensitive data under the Choice Principle is modified slightly under the Swiss-U.S. Privacy Shield, including ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.