Swiss-US Privacy Shield Framework Announced

International commerce is a huge business, but one of the challenges involved in conducting international business is that different countries may have different laws concerning privacy and the handling of personal data. Many companies in the United States conduct business in Europe, and Europe is well known around the world for being avidly in support of customer data privacy. Many countries in Europe – Switzerland in particular – have a reputation for protecting customer privacy, and these countries often have strict laws concerning how personal data must be handled and protected.

There is great interest in ensuring that transatlantic business transactions take place legally, and as such the U.S. Department of Commerce has worked with Swiss authorities to develop a new Swiss-U.S. Privacy Shield framework under which U.S. companies can certify their compliance with Swiss data privacy laws. The U.S. Secretary of Commerce Wilbur Ross recently announced that the Swiss-U.S. Privacy Shield framework has officially launched online in the U.S. as of April 12, 2017.  

The Swiss-U.S. Privacy Shield Framework is Now Accepting Self-Certifications

The Privacy Shield framework provides U.S. companies with a mechanism that they can use in order to be in compliance with Swiss data protection laws when conducting transfers of personal data from Switzerland to the U.S. The new Swiss-U.S. Privacy Shield framework replaces the old U.S.-Swiss Safe Harbor Framework, which was formerly used by more than four thousand American companies. U.S. companies that were conducting business under the U.S.-Swiss Safe Harbor Framework will need to update their data handling and protection policies to ensure that they are in compliance with the new Swiss-U.S. Privacy Shield framework.

Once compliant, U.S. companies can self-certify their compliance with the Swiss-U.S. Privacy Shield framework through the International Trade Administration at the U.S. Department of Commerce. Certifications can be made online through the Privacy Shield website.  

• U.S. companies that are already self-certified under the EU-U.S. Privacy Shield framework can log on and self-certified under the Swiss-U.S. Privacy framework and pay the required fee with just a few clicks of the computer mouse.
• U.S. companies who are new to the Privacy Shield frameworks will be required to pay a separate annual fee to the International Trade Administration in addition to the required fee associated with self-certification under the Swiss-U.S. Privacy framework.

Benefits of the Swiss-U.S. Privacy Shield Framework

U.S. companies that certify under the Swiss-U.S. Privacy Shield framework are deemed to provide “adequate” privacy protection, which is a requirement in order to be able to transfer personal data from the U.S. to Switzerland. For companies that are unsure about how to become compliant, the Swiss-U.S. Privacy Shield framework clearly lays out a plan for compliance. Additionally, compliance is cost-effective, which is a benefit for small to mid-sized companies that want to conduct business in Switzerland.

Contact an Internet Lawyer

U.S. companies that have questions about becoming compliant under the Swiss-U.S. Privacy Shield framework can contact an experienced privacy attorney for guidance. The professionals at Revision Legal can help. Contact us using the form on this page or call us at 855-473-8474.

The Schrems II Decision and What Came After: The Current State of Transatlantic Data Transfers

The Swiss-U.S. Privacy Shield Framework discussed in this post was part of a broader ecosystem of transatlantic data transfer mechanisms that has since been significantly disrupted and reconstructed. The July 2020 decision of the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II), C-311/18, invalidated the EU-U.S. Privacy Shield Framework—and with it, the legal basis on which thousands of companies were relying for transatlantic data transfers.

What Schrems II Held and Why It Matters for Swiss Data Transfers

Schrems II held that the EU-U.S. Privacy Shield failed to provide an adequate level of protection for EU personal data transferred to the United States, primarily because U.S. surveillance programs—particularly those conducted under Section 702 of the Foreign Intelligence Surveillance Act—did not offer EU data subjects rights equivalent to those guaranteed by EU law, and because EU data subjects lacked effective judicial redress against U.S. intelligence agency access to their data.

The Swiss Federal Data Protection and Information Commissioner (FDPIC) subsequently determined that the Swiss-U.S. Privacy Shield also provided inadequate protection for Swiss personal data, applying reasoning parallel to the Schrems II analysis. This left U.S. companies relying on the Swiss-U.S. Privacy Shield without a valid legal basis for Swiss data transfers.

Standard Contractual Clauses as the Current Mechanism

In the aftermath of Privacy Shield invalidation, Standard Contractual Clauses (SCCs) became the primary mechanism for both EU and Swiss personal data transfers to the United States. SCCs are model contract terms approved by the European Commission (and adopted by Switzerland for Swiss data transfers) that bind the data importer—the U.S. company receiving the data—to specific data protection obligations. Unlike Privacy Shield, SCCs do not require self-certification; they require actual contractual commitments backed by enforceable legal obligations.

The European Commission issued updated SCCs in June 2021, replacing the previous versions that had been in use since 2010. The new SCCs address Schrems II concerns by requiring data importers to assess whether the laws of the destination country would impede compliance with the SCC obligations—including conducting a Transfer Impact Assessment (TIA) to evaluate whether U.S. government access to transferred data could undermine the protections the SCCs are designed to provide.

The EU-U.S. Data Privacy Framework: The New Adequacy Decision

In July 2023, the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), establishing a new legal mechanism for EU-U.S. data transfers that addresses the specific concerns raised in Schrems II. The DPF established new limitations on U.S. intelligence access to EU personal data and created a Data Protection Review Court to provide redress for EU individuals. U.S. companies can self-certify under the DPF through the Department of Commerce, similar to the prior Privacy Shield process.

Switzerland has developed a parallel Swiss-U.S. Data Privacy Framework, recognizing that a U.S. company’s self-certification under the DPF also provides an adequate legal basis for Swiss-U.S. data transfers. Companies that were previously certified under the Swiss-U.S. Privacy Shield need to review and update their certification under the new framework.

Practical Steps for Companies Transferring Data from Switzerland or the EU

Given the evolving legal landscape, companies engaged in transatlantic data transfers should take the following steps:

• Conduct an inventory of all personal data transfers from Switzerland or the EU to the United States, including transfers through third-party processors and cloud service providers.
• Assess which transfer mechanism currently supports each transfer—DPF certification, SCCs, or binding corporate rules.
• If relying on SCCs, ensure they are the updated 2021 versions and that Transfer Impact Assessments have been completed and documented for each transfer.
• Update data processing agreements with vendors to ensure they reference the correct transfer mechanisms.
• Monitor the DPF’s legal status—it has already been challenged before the CJEU, and a Schrems III invalidation remains a real possibility.

Contact the privacy and data compliance attorneys at Revision Legal to assess your company’s international data transfer compliance posture and ensure your legal framework is current. Reach out today.