toggle accessibility mode
us swiss safe harbor agreement

US-Swiss Safe Harbor Agreement: Bridging the Gap to Privacy Concerns

By John DiGiacomo

There has been widespread suggestion that privacy concerns will be this generation’s biggest and most daunting issue. Thanks to the Internet and society’s ever-growing reliance on it – posting our life stories on Social Media, using online banking systems, online shopping, and so forth – more and more people are becoming aware of just how much personal information is available online. Nations across the world recognize this issue and in many cases predicted it; in response there has been creation of legislation targeted at protecting the private information of their citizens.

Domestic legislation isn’t always enough, though. It dictates what companies within a single nation can do, but what about multi-national corporations that don’t recognize the existence of borders? Over the last few years, several international treaties targeting the use of private information have been ratified. In 2009, Switzerland approved the framework for the US-Swiss Safe Harbor Agreement.

The agreement provides an opportunity for US corporations to avoid business interruptions when dealing with Swiss citizens and prevent facing prosecution by Swiss authorities for violating domestic laws on the collection, storage and use of private information of Swiss nationals. By completing the self-certifying application under the agreement, foreign corporations ensure that Swiss organizations recognize that an American company will provide appropriate and adequate privacy protection, as provided for under Swiss law.

The Swiss Federal Act on Data Protection (“FADP”) became effective in July 1993 (with updates in January 2008). The FADP prohibits the transfer of personal information to other nations that don’t meet Switzerland’s strict standards for privacy protection.

The US and Switzerland approach privacy of citizens’ personal data very differently; Switzerland relies on legislation requiring the creation of an independent government data protection agency, registration with the agency, and sometimes, pre-approval to even begin processing personal information. In the US, the government relies on more of a sectoral approach, using a mix of legislation, regulations, and corporate self-monitoring. As a result of these differences, the two nations had to work together to create an integrated system that would allow for major US corporations to take part in the Swiss market.

The Swiss government keeps an updated list of US organizations that have been deemed to meet the “adequate” privacy protection standards so Swiss nationals can see who they can trust to protect their data before even providing their personal information. US corporations can enter the program on a voluntary basis: so a U.S. company that doesn’t have any business in Switzerland doesn’t have to think about this agreement at all. However, if that company’s expansion plans include Switzerland, there are some things to keep in mind.

To qualify for the Safe Harbor program, an organization can either join a self-regulatory privacy program adhering to the US-Swiss Safe Harbor requirements, or it can develop its own self-regulatory privacy policy that conforms to the framework.

There are seven Safe Harbor principles which organizations are required to follow:

  1. Notice – organizations must notify individuals regarding the purpose and use of the collection of personal information. This includes providing contact information for your organization in case anyone has questions.
  2. Choice – organizations must give individuals the opportunity to opt out of having their information shared with third parties or using the information in a way it wasn’t intended to be.
  3. Third Party Transfers – organizations must comply with the “notice” and “choice” requirements before transferring anyone’s data to third parties. The organization must also ensure that the third party also follows the US-Swiss Safe Harbor policies.
  4. Access – individuals must be able to access their information for the purposes of changing, updating or deleting it. The exception in this case is where the burden or expense of providing this option is too great for the corporation to take on.
  5. Security – organizations have to take all reasonable precautions to protect the private information of individuals from loss, misuse and unauthorized access, alteration or destruction.
  6. Data integrity – the information collected must be relevant for its use and the organization must take reasonable steps to ensure the data is reliable, accurate and complete.
  7. Enforcement – to ensure compliance with the Safe Harbor principles, there must be:
    1. Readily available and economically accessible independent recourse mechanisms so complaints and disputes can be investigated sufficiently;
    2. Procedures for verification that the corporation’s commitments are adhered to; and
    3. Obligations to remedy problems that arise when a corporation fails to comply with any of these principles.

There are many components to the US-Swiss Safe Harbor Agreement. For more information on the agreement you can go the website created for it, or contact Revision Legal’s Internet Privacy attorneys by completing our contact form or calling 855-473-8474.


Image courtesy of Flickr user chriscom.

Put Revision Legal on your side