On January 12, 2017, Swiss Federal Councillor Johann Schneider-Ammann announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. The Swiss-U.S. Privacy Shield Framework will immediately replace the U.S.-Swiss Safe Harbor immediately. To give organizations the time needed to review the Privacy Shield Principles and the commitments they entail, U.S. Acting Under Secretary of Commerce Ken Hyatt announced that the Department will begin accepting Privacy Shield certifications on April 12, 2017.
Beginning April 12, 2017, the Department of Commerce will no longer accept any U.S.-Swiss Safe Harbor certifications. The Department will maintain the U.S.-Swiss Safe Harbor List of participants.
U.S.-EU Safe Harbor
On July 12, 2016, U.S. Secretary of Commerce Penny Pritzker joined European Union Commissioner Věra Jourová to announce the approval of the EU-U.S. Privacy Shield Framework as a valid legal mechanism to comply with EU requirements when transferring personal data from the European Union to the United States. The EU-U.S. Privacy Shield Framework replaces the U.S.-EU Safe Harbor Framework. The Department began accepting certifications on August 1, 2016.
As of October 31, 2016, the Department stopped accepting all U.S.-EU Safe Harbor certifications. The Department will maintain the U.S.-EU Safe Harbor List of participants.
Please note that, pursuant to the Safe Harbor Frequently Asked Question on Self-Certification, the commitment to adhere to the U.S.-EU and U.S.-Swiss Safe Harbor Principles is not time-limited, and a participating organization must continue to apply the Principles to data received under the Safe Harbor.
For more information on the Swiss-U.S. Privacy Shield Framework and the EU-U.S. Privacy Shield Framework, please visit https://www.privacyshield.gov .
The Swiss Federal Act on Data Protection (FADP) went into effect in July 1993, followed by important modifications in January 2008. The FADP would prohibit the transfer of personal data to countries that do not meet Switzerland’s “adequacy” standard for privacy protection. While the United States and Switzerland share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by Switzerland. In order to bridge these differences in approach and provide a streamlined means for U.S. organizations to comply with the FADP, the U.S. Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a "safe harbor" framework and this website to provide the information an organization would need to evaluate – and then join – the U.S.-Swiss Safe Harbor program.
Please note that the form used for self-certifying compliance with the U.S.-Swiss Safe Harbor Framework is identical to that used for self-certifying compliance with the U.S.-EU Safe Harbor Framework; nevertheless, an organization is not required to self-certify to one of the Safe Harbor Frameworks in order to self-certify to the other. Organizations should also note that when they select “Switzerland” as a country from which they receive personal data, they are self-certifying compliance with the U.S.-Swiss Safe Harbor Framework. It is critically important that an organization read the U.S.-Swiss Safe Harbor Privacy Principles, 15 FAQs, and enforcement documents before submitting a self-certification form.Checklist for Joining the U.S.-Swiss Safe Harbor:
If your organization is considering joining:
· Read the U.S.-Swiss Safe Harbor Overview.
· Read the U.S.-Swiss Safe Harbor Framework Documents.
· Review the Helpful Hints on Self-Certifying Compliance with the U.S.-Swiss Safe Harbor Framework.
· Review the Safe Harbor Workbook.
If your organization decides to join:
· Bring your organization's policies and practices into compliance with the requirements outlined in Helpful Hints on Self-Certifying Compliance with the U.S.-Swiss Safe Harbor Framework.
· Review the Information Required for Self-Certification.
· Complete and submit the Certification Form
Upon receipt of your organization’s self-certification submission and corresponding processing fee, the submission will be reviewed for completeness. If and when the submission is deemed complete, it will be posted to the U.S.-Swiss Safe Harbor List, available on this website.
U.S.-SWISS SAFE HARBOR PRIVACY PRINCIPLESIssued by the U.S. Department of Commerce on February 16, 2009
The privacy legislation of Switzerland (Federal Act on Data Protection, FADP) became effective on June 19, 1992. It requires that transfers of personal data take place only to third countries that provide an “adequate” level of privacy protection (Art. 6 FADP). While the United States and Switzerland share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by Switzerland. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. Given those differences, many U.S. organizations have expressed uncertainty about the impact of the required “adequacy standard” on personal data transfers from Switzerland to the United States.
To diminish this uncertainty and provide a more predictable framework for such data transfers, the Department of Commerce is issuing this document and Frequently Asked Questions (“the Principles”) under its statutory authority to foster, promote, and develop international commerce. As the Swiss and EU legislation on data protection may be considered equivalent, the U.S.-Swiss Safe Harbor Principles and FAQs are modeled on the Principles and FAQs developed for the U.S.-EU Safe Harbor. They are intended for use by U.S. organizations receiving personal data from Switzerland for the purpose of qualifying for the safe harbor and the presumption of “adequacy” it creates. Because the Principles were solely designed to serve this specific purpose, their adoption for other purposes may be inappropriate.
Decisions by organizations to qualify for the safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the safe harbor and publicly declare that they do so. For example, if an organization joins a self-regulatory privacy program that adheres to the Principles, it qualifies for the safe harbor. Organizations may also qualify by developing their own self-regulatory privacy policies provided that they conform with the Principles. Where in complying with the Principles, an organization relies in whole or in part on self-regulation, its failure to comply with such self-regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts. (See the annex for the list of U.S. statutory bodies recognized by Switzerland.) In addition, organizations subject to a statutory, regulatory, administrative or other body of law (or of rules) that effectively protects personal privacy may also qualify for safe harbor benefits. In all instances, safe harbor benefits are assured from the date on which each organization wishing to qualify for the safe harbor self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth in the Frequently Asked Question on Self-Certification.
Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of Swiss or cantonal data protection measures is to allow exceptions or derogations, provided they are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.
Organizations may wish for practical or other reasons to apply the Principles to all their data processing operations, but they are only obligated to apply them to data transferred after they enter the safe harbor. To qualify for the safe harbor, organizations are not obligated to apply these Principles to personal information in manually processed filing systems. Organizations wishing to benefit from the safe harbor for receiving information in manually processed filing systems from Switzerland must apply the Principles to any such information transferred after they enter the safe harbor. An organization that wishes to extend safe harbor benefits to human resources personal information transferred from Switzerland for use in the context of an employment relationship must indicate this when it self-certifies to the Department of Commerce (or its designee) and conform to the requirements set forth in the Frequently Asked Question on Self-Certification. Organizations will also be able to provide the safeguards necessary under Article 6.2 FADP if they include the Principles in written agreements with parties transferring data from Switzerland for the substantive privacy provisions, once the other provisions for such model contracts are authorized by the Federal Data Protection and Information Commissioner (hereafter “the Commissioner”).
U.S. law will apply to questions of interpretation and compliance with the Safe Harbor Principles (including the Frequently Asked Questions) and relevant privacy policies by safe harbor organizations, except where organizations have committed to cooperate with the Commissioner. Unless otherwise stated, all provisions of the Safe Harbor Principles and Frequently Asked Questions apply where they are relevant.
“Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the FADP, received by a U.S. organization from Switzerland, and recorded in any form.
U.S.-SWISS SAFE HARBOR LIST search here https://safeharbor.export.gov/swisslist.aspx