What to Know About the Swiss-U.S Privacy Shield

Published On January 25, 2017 | By Anna Myers | International

The United States and Switzerland have finalized a Swiss-U.S. Privacy Shield Framework that is nearly identical to the EU-U.S. Privacy Shield. The Swiss Shield codifies the requirements of Article 6 of the Swiss Federal Act on Data Protection. To be eligible for self-certification, organizations must be subject to the investigatory and enforcement powers of the FTC or the Department of Transportation. Switzerland may recognize other statutory bodies that will enforce compliance with the Principles in an annex in the future.

The Swiss-U.S. Privacy Shield applies the same principles as the EU-U.S. Privacy Shield with a few exceptions, most notably:

  • The Swiss Shield is regulated by the Swiss Federal Data Protection and Information Commissioner’s Authority (instead of EU DPAs).
  • The definition of Sensitive Data is broader under the Swiss Shield, as it includes “ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.”
  • At the first annual review, the Department of Commerce and the Swiss Government will implement a binding arbitration option under the Swiss Shield.

Companies may register under the Swiss-U.S. Privacy Shield starting April, 12 2017. The principles are enforceable immediately upon certification.

To prepare to certify under the Swiss Shield, companies that will receive personal data from Switzerland should:

  • Review privacy practices for compliance with the principles of the Shield.
  • Revise privacy practices in accordance with the principles.
  • Select an independent recourse mechanism.
  • Revise and update privacy policies in accordance with the principles, including removing references to Swiss-U.S. Safe Harbor when appropriate.
  • On or after April 12, 2017 complete the self-certification on the Department of Commerce’s Privacy Shield website.

Important notes for companies already certified under the EU-U.S. Privacy Shield

  • You can log into your existing Privacy Shield account and click on “self-certify” to add the Swiss-U.S. Privacy Shield Framework.
  • The recertification date for both the Swiss-U.S. and EU-U.S. Frameworks will be one year from the date the first certification was finalized.


About The Author

Anna works with ZwillGen attorneys on a variety of privacy & technology legal matters. Prior to joining ZwillGen, Anna was a Westin Fellow with the International Association of Privacy Professionals (IAPP). During her time at the IAPP, she focused on emerging privacy and technology issues in the U.S. and Europe and developed related publications, tools, and practice guides. Anna also worked at Harvard University’s Berkman Center for Internet and Society, the Network Advertising Initiative, and the U.S. Department of the Treasury’s Office of Privacy, Transparency and Records.