Switzerland Authorizes Safe Harbor Framework for Personal Data Transfers to the United States
The new U.S.-Swiss Safe Harbor Framework ("U.S.-Swiss Safe Harbor"), effective February 16, 2009, facilitates transfer of personal data from companies in Switzerland to companies in the United States.
Previously, the Swiss Data Protection Act ("DPA") permitted only the transfer of "personal data" from Switzerland to jurisdictions that the Federal Data Protection and Information Commissioner ("FDPIC") deemed to provide an adequate level of data protection. In order to transfer personal data from Switzerland to jurisdictions that the FDPIC did not deem to provide an adequate level of data protection, the exporting and importing organizations were required to sign an agreement guaranteeing that the importing organization would provide the "appropriate" level of data protection required under Swiss law. The FDPIC has found the following contractual agreements to provide an appropriate level of protection: (1) Standard Contractual Clauses of the European Union, (2) the Council of Europe's model contract for safeguarding an appropriate level of data protection in transborder data transfers, and (3) the FDPIC's model contract for the outsourcing of data processing abroad. The parties would then submit the agreement to the FDPIC for inspection and approval prior to any transfer of personal data outside of Switzerland. With the implementation of the U.S.-Swiss Safe Harbor, organizations seeking to transfer personal data from Switzerland to the United States now have an alternative means to do so under the DPA.
Similar to the existing Safe Harbor structure between the European Union and the United States ("U.S.-E.U. Safe Harbor"), the U.S.-Swiss Safe Harbor allows U.S. companies to self-certify to the U.S. Department of Commerce that they will uphold the same seven data protection principles contained in the U.S.-E.U. Safe Harbor Framework: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement. Applicants may certify to the U.S.-Swiss Safe Harbor alone or along with the U.S.-E.U. Safe Harbor on the same Certification Form by selecting Switzerland as a country from which they receive personal data. Switzerland will recognize certified companies as meeting its required standard of data protection and allow transfer and access to Swiss personal data by these companies. The U.S.-Swiss Safe Harbor also provides for special dispute resolution boards in cases of data protection breaches and permits the U.S. Federal Trade Commission to take action against certified companies in cases of egregious or repeated data protection infringement. These remedies are in addition to possible private actions.
The significant overlap in substantive requirements and certification procedures for both the U.S.-Swiss and U.S.-E.U. Safe Harbors will likely benefit entities seeking to streamline compliance policies and procedures for transferring data from both the European Union and Switzerland to the United States. One notable distinction, however, is that the Swiss DPA defines "personal data" to include all information relating to natural and legal persons, e.g., companies, associations, etc. By contrast, both the U.S.-Swiss Safe Harbor and the U.S-E.U. Safe Harbor cover only personal data of natural persons. Thus, organizations seeking to transfer other types of data from Switzerland may still need to enter into cross-border data transfer agreements and seek approval from the FDPIC.
For further information on certifying compliance with the U.S.-Swiss Safe Harbor, the U.S.-E.U. Safe Harbor, or both, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Mauricio F. Paez
Joseph J. Bernasky
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.