Earlier this month, the Swiss Federal Council approved the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Beginning September 15, 2024, companies may rely on the Swiss-U.S. DPF as a lawful basis to transfer personal data of Swiss residents to companies in the United States.
What is the Swiss-U.S. DPF and Why is it Important?
The Swiss-U.S. DPF is a framework developed by the U.S. Department of Commerce’s International Trade Association (ITA). The Swiss U.S. DPF aims to facilitate commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from Switzerland. As a general rule, several international privacy laws and regulations prohibit the transfer of their citizens’ personal data to countries that “lack adequate data protection laws.” These countries are known as “third countries,” and the United States is designated as a third country under several international privacy laws such as the European Union (EU)’s GDPR, UK GDPR and Switzerland’s Federal Act on Data Protection (FADP).
To lawfully transfer personal data to a third country under these international laws, a transfer mechanism, approved by the country’s privacy regulators, must be in place. Such transfer mechanisms include, but are not limited to:
- Model Contracts – standard agreements issued by regulators to be executed by data exporters (the party sending the data) and data importers (the party receiving data) (e.g., Standard Contractual Clauses, UK International Data Transfer Agreement);
- Binding Corporate Rules (BCRs) – data protection policies adhered to by companies established in the EU, UK, and Switzerland for transfers of personal data outside these jurisdictions within a group of undertakings or enterprises. BCRs are typically used by multinational companies. BCRs must be reviewed and approved by a privacy regulator before they can be used as a reliable transfer mechanism.
- Data Privacy Frameworks – Companies who participate in the ITA’s DPF programs may lawfully rely on participation in these frameworks to freely transfer personal data from certain countries to the United States. The ITA maintains a list of active and inactive participating organizations. Along with the Swiss-U.S. DPF, the ITA has another framework that allows the transfer of personal data from individuals in the EU through the EU-U.S. DPF and individuals in the United Kingdom via the UK Extension to the EU.U.S. DPF.
The Swiss-U.S. DPF is important because it expands how U.S. companies may receive personal data of Swiss individuals. A “transfer” of personal data under most international laws is construed broadly and is more than sending a flash drive of personal data, or an email containing such data. A data transfer can include merely accessing or viewing personal data from the United States. Thus, for companies doing business in Switzerland, a data transfer mechanism is needed when accessing information of Swiss residents which may include customers, employees and their relatives, contractors and service providers in Switzerland and Swiss website visitors.
One of the most unique features of Switzerland’s FADP compared to other international privacy laws such as the GDPR, is the FADP’s criminal liability. Failure to properly transfer data in accordance with the FADP may impose consequences under Swiss criminal law for company leaders responsible for privacy compliance.
What is the Difference between the Swiss-U.S. DPF and the Swiss Privacy Shield?
The Swiss Privacy Shield was invalidated on September 8, 2020, and replaced by the Swiss-U.S. DPF. In light of the Schrems II Court of Justice of the European Union (CJEU) decision, Switzerland’s privacy regulator, the Federal Data Protection and Information Commissioner (FDPIC), determined that the special data protection rights for Swiss persons outlined in the Privacy Shield did not provide an adequate level of protection for data transfers from Switzerland to the United States under the FADP. The FDPIC found that the Privacy Shield could no longer be relied upon as a data transfer mechanism.
The Swiss-DPF amends and revamps the invalidated Privacy Shield framework to address the privacy concerns raised in the Schrems II decision four years ago.
Does my Organization Need to Enter the Swiss-U.S. DPF if Another Transfer Mechanism is in Use?
No. Organizations are only required to have one transfer mechanism in place. The need for multiple mechanisms is not mandatory, but is sometimes used. For example, organizations that participate in the DPF may also execute model agreements as a failsafe if the DPF is invalidated.
What are the Pros/Cons of the Swiss-U.S. DPF?
Pros | Cons |
No Additional Assessments. The DPF does not require any additional transfer assessments to be completed. However, relying on other transfer mechanisms, such as the model contracts, requires organizations to execute the agreements and also complete a transfer impact assessment (TIA) or transfer risk assessment (TRA). These assessments require entities to identify the potential risks to personal data based on national security and surveillance laws in the importing country. Completing the TIA/TRAs is often time-consuming and a missed step. The ability to bypass this step using the DPF is a major benefit. Data Governance. The DPF outlines several privacy principles participating organizations must adhere to for certification. While the U.S. does not yet have a federal comprehensive privacy law, the DPF outlines several core privacy principles we would expect to see in federal privacy legislation once enacted. The program forces participating organizations to look at their existing privacy practices and get up to speed on how to safeguard personal data. Participation in the DPF shows a baseline of compliance for regulators in the U.S. and abroad, even if the DPF is not used for data transfers. | Cost. Organizations must pay to participate in the Swiss-U.S. DPF. Framework certification (and recertification) is done annually and the price varies by the organization’s annual revenue and the number of frameworks companies want. Whereas other transfer mechanisms, such as model contracts are freely available. Additional Vendors. DPF certification can be a time-consuming process. The DPF also requires participating organizations to (i) provide an appropriate independent recourse mechanism designated to address individual’s privacy complaints and provide recourse, for free and (ii) offer binding arbitration under certain conditions. Companies often use vendors to manage/offer these services which is an additional cost. Potential Legal Challenges. The DPF could be invalidated. As seen with the Swiss Privacy Shield, a challenge to the Privacy Principles in the DPF could make a European/Swiss court render the DPF invalid forcing companies to find a different mechanism to lawfully transfer data. |
We will continue to monitor international privacy updates and guidance on personal data transfers. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy & Data Security Mobile Application.