Last updated: September 16, 2020

Q1: Can a Privacy Shield participant rely on the Swiss-U.S. Privacy Shield Framework to receive personal data from Switzerland in light of the September 8, 2020 opinion of the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland? 

  • On September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework.
  • On July 16, 2020, the Court of Justice of the European Union (CJEU) had issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. On that same day the FDPIC issued a statement noting, among other things, that the  FDPIC would examine the CJEU judgement in detail and comment on it in due course. The FDPIC had previously noted on January 11, 2017 that the FDPIC reserved the right to reappraise the Swiss-U.S. Privacy Shield as appropriate in light of actual implementation and this reappraisal would take account of court judgments in Switzerland and in the EU.
  • The United States remains committed to working with the EU and Switzerland to ensure continuity in transatlantic data flows and privacy protections. The U.S. Department of Commerce has been and will remain in close contact with the European Commission and the Swiss Administration on this matter and hopes to be able to limit the negative consequences of the EU and Swiss determinations to the transatlantic data flows that are so vital to our respective citizens, companies, and governments.
  • As U.S. Secretary of Commerce Wilbur Ross noted on July 16, 2020, “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” 
  • If you have questions, please contact the FDPIC or legal counsel.


Q2: Why should U.S.-based organizations participate in the Swiss-U.S. Privacy Shield Framework in light of the September 8, 2020 opinion of the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland?

  • Organizations’ continued participation in the Swiss-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for Swiss individuals.
  • The September 8, 2020 opinion issued by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework. On August 5, 2020, Federal Trade Commission (FTC) Chairman Joseph Simons noted that “we will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.”
  • On August 10, 2020, U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders issued a joint statement noting that “The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case.” The Department will also continue discussions with Switzerland towards working to enhance the Swiss-U.S. Privacy Shield Framework in support of transatlantic data flows. The Department is continuing to administer the Privacy Shield program while those discussions proceed.
  • For help determining the most appropriate data transfer mechanism for an organization, please contact the FDPIC or legal counsel.


Q3: Have the requirements regarding re-certification under the Swiss-U.S. Privacy Shield Framework changed in light of the September 8, 2020 opinion of the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland?

  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List.
  • Organizations continue to be required to re-certify annually if they wish to remain on the Privacy Shield List. Please see the guidance on how to re-certify to Privacy Shield for additional information on the re-certification requirements, including the requirement to provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual and the requirement to contribute to a fund to cover the arbitral costs as described in Annex I to the Privacy Shield Principles. 
  • Organizations continue to be required to pay an annual processing fee to the ITA in order to participate in the Privacy Shield, as the cost recovery program supports the administration and supervision of the Privacy Shield program. The annual processing fee is generally not refundable.


Q4: Have the requirements regarding withdrawal from the Swiss-U.S. Privacy Shield Framework changed in light of the September 8, 2020 opinion of the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland?

  • The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for withdrawal from the Privacy Shield and maintaining both the Privacy Shield List and a record of organizations that have been removed from the Privacy Shield List.
  • Organizations may withdraw from the Privacy Shield at any time; however, they must meet ongoing requirements related to data received under the Privacy Shield and must remove from their websites, privacy policy statements, and any other public documents any representations that could be construed as claims that they participate in or comply with the Privacy Shield. Please see the Privacy Shield Principles and the guidance on withdrawal from the Privacy Shield for additional information on the withdrawal requirements, including the requirement to complete and return to the ITA a withdrawal questionnaire to verify what the organization will do with the personal information that it received while participating in the Privacy Shield, and if personal information will be retained who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions.
  • The annual processing fee that organizations are required to pay to the ITA in order to participate in the Privacy Shield is generally not refundable.


See Swiss-U.S. Privacy Shield FAQs 5-9