On August 14, 2024, the Federal Council of Switzerland announced in a press release the launch of the "Swiss-U.S. Data Privacy Framework," a new framework to regulate the transfer of personal data between the two countries. The framework is designed to ensure that personal data sent from Switzerland to certified organizations in the U.S. is protected according to agreed-upon standards.
According to the press release, the Federal Council approved the relevant amendment to the Data Protection Ordinance, Switzerland data privacy law, at its meeting on August 14, 2024, adding the United States to the list of countries with an adequate level of data protection. This amendment will go into force on September 15, 2024.
The Swiss-U.S. Data Privacy Framework replaces the previous Swiss-U.S. Privacy Shield, which was invalidated following a ruling by the European Union’s Court of Justice in the Schrems II Case, which raised concerns about data transfers from the EU to the U.S.
In response, Switzerland and the U.S. discussed establishing a new framework that aligns with Switzerland's updated data protection laws, which came into force in September 2023.
The framework applies to the transfer of personal data from Switzerland to U.S. organizations that have been certified under this new system. These organizations must adhere to specific privacy principles, including:
The framework includes several safeguards to protect personal data when accessed by U.S. authorities, particularly for law enforcement and national security purposes. These safeguards are backed by various legal instruments, including the U.S. Constitution and specific legislation like the Foreign Intelligence Surveillance Act (FISA).
To ensure compliance, the U.S. Department of Commerce oversees the certification process and monitors participating organizations. If an organization fails to comply with the framework's principles, it may be removed from the list of certified organizations, which would prevent it from receiving personal data from Switzerland. The Federal Trade Commission (FTC) and the Department of Transportation (DoT) have been designated as enforcement bodies with the authority to investigate and address non-compliance.
The framework also establishes multiple mechanisms for individuals to seek redress if they believe their data has been mishandled. Swiss individuals can file complaints with the Federal Data Protection and Information Commissioner (FDPIC), who will coordinate with U.S. authorities to investigate and resolve these issues. Additionally, the framework includes a Data Protection Review Court (DPRC), an independent body that provides binding decisions on data-related complaints.
The Swiss-U.S. Data Privacy Framework is intended to facilitate cross-border data transfers while protecting personal data. This framework sets a precedent that other countries may model for future agreements of a similar nature.
The framework will be subject to continuous monitoring and potential revisions to ensure it meets evolving data protection standards, with both Switzerland and the U.S. committed to maintaining a high level of data protection under this agreement.