New Swiss-U.S. Data Privacy Framework to Regulate Data Transfers
On August 14, 2024, the Federal Council of Switzerland announced in a press release the launch of the "Swiss-U.S. Data Privacy Framework," a new framework to regulate the transfer of personal data between the two countries. The framework is designed to ensure that personal data sent from Switzerland to certified organizations in the U.S. is protected according to agreed-upon standards.
According to the press release, the Federal Council approved the relevant amendment to the Data Protection Ordinance, Switzerland data privacy law, at its meeting on August 14, 2024, adding the United States to the list of countries with an adequate level of data protection. This amendment will go into force on September 15, 2024.
Background of the Framework
The Swiss-U.S. Data Privacy Framework replaces the previous Swiss-U.S. Privacy Shield, which was invalidated following a ruling by the European Union’s Court of Justice in the Schrems II Case, which raised concerns about data transfers from the EU to the U.S.
In response, Switzerland and the U.S. discussed establishing a new framework that aligns with Switzerland's updated data protection laws, which came into force in September 2023.
Scope and Obligations
The framework applies to the transfer of personal data from Switzerland to U.S. organizations that have been certified under this new system. These organizations must adhere to specific privacy principles, including:
- Certification and Adherence: U.S. organizations must certify their compliance with the framework's privacy principles annually. This includes commitments to protect personal data and limit its use to the purposes for which it was initially collected.
- Data Security: Organizations must implement security measures to protect personal data from unauthorized access or misuse.
- Transparency and Rights of Data Subjects: Organizations must inform individuals about how their data is processed and must provide mechanisms for individuals to access, correct, or delete their data.
- Onward Transfers: When personal data is transferred to another party, the receiving party must provide the same level of protection as required by the framework.
Legal Safeguards and Enforcement
The framework includes several safeguards to protect personal data when accessed by U.S. authorities, particularly for law enforcement and national security purposes. These safeguards are backed by various legal instruments, including the U.S. Constitution and specific legislation like the Foreign Intelligence Surveillance Act (FISA).
To ensure compliance, the U.S. Department of Commerce oversees the certification process and monitors participating organizations. If an organization fails to comply with the framework's principles, it may be removed from the list of certified organizations, which would prevent it from receiving personal data from Switzerland. The Federal Trade Commission (FTC) and the Department of Transportation (DoT) have been designated as enforcement bodies with the authority to investigate and address non-compliance.
Redress Mechanisms
The framework also establishes multiple mechanisms for individuals to seek redress if they believe their data has been mishandled. Swiss individuals can file complaints with the Federal Data Protection and Information Commissioner (FDPIC), who will coordinate with U.S. authorities to investigate and resolve these issues. Additionally, the framework includes a Data Protection Review Court (DPRC), an independent body that provides binding decisions on data-related complaints.
International and Future Steps
The Swiss-U.S. Data Privacy Framework is intended to facilitate cross-border data transfers while protecting personal data. This framework sets a precedent that other countries may model for future agreements of a similar nature.
The framework will be subject to continuous monitoring and potential revisions to ensure it meets evolving data protection standards, with both Switzerland and the U.S. committed to maintaining a high level of data protection under this agreement.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Learn More →