As from September 15, 2024, the New Framework will Facilitate the Disclosure of Personal Data from Switzerland to the U.S.

What Is New?

By way of its decision of August 14, 2024, the Swiss Federal Council has recognized that the Swiss-U.S. DPF provides for an adequate level of data protection when private companies or public authorities in Switzerland disclose personal data to U.S. companies that participate in the Swiss-U.S. DPF. Annex 1 of the Swiss Federal Ordinance on Data Protection will be updated to include such disclosures under the Swiss-U.S. DPF as guaranteeing an adequate level of data protection.

Switzerland thus follows the approach taken earlier by the EU with the adoption of the EU-U.S. Data Privacy Framework (EU-U.S. DPF) (see our Bulletin of July 11, 2023). The new Swiss-U.S. DPF substantially corresponds to the EU-U.S. DPF, which marked the (preliminary) end of a period of uncertainty for disclosures of personal data to the U.S. after the «Schrems II» landmark decision of the Court of Justice of the European Union (CJEU) struck down the predecessor of the EU-U.S. DPF (see our Bulletin of July 16, 2020).

Most importantly, the Swiss-U.S. DPF provides for the following:

• The U.S. aligns its legal system with fundamental principles of Swiss law by way of the U.S. Executive Order 14086 executed by President Biden on October 7, 2022 (EO 14086). The changes include a limitation of U.S. intelligence activities to what is proportionate, oversight of U.S. intelligence services, and effective redress. Earlier this year on June 13, 2024, the U.S. Attorney General has designated Switzerland as a qualifying state for purposes of implementing the redress mechanism.
• U.S. companies may self-certify that they adhere to a defined set of privacy principles. Certified U.S. companies must ensure in particular the rights for data subjects as known from the DPA and redress options, including a free of charge independent dispute resolution mechanism and an arbitration panel. Compliance with these principles is monitored by the U.S. Department of Commerce (DoC) and enforced by the U.S. Federal Trade Commission.

When Will the Swiss-U.S. DPF Enter Into Force?

The new Swiss-U.S. DPF will be effective from September 15, 2024.

What Are the Consequences of the New Swiss-U.S. DPF?

The Swiss-U.S. DPF will facilitate disclosures of personal data from Switzerland to the U.S.: Once effective, Swiss data exporters will be able to disclose personal data to recipients in the U.S. who participate in the Swiss-U.S. DPF without having to enter into SCC and performing a data transfer impact assessment.

Even for companies continuing to rely on SCC, the new Swiss-U.S. DPF will facilitate their data disclosure to the U.S. and the data transfer impact assessment, given that the limitations imposed by the U.S. EO 14086 apply irrespective of whether personal data is disclosed under the Swiss-U.S. DPF or based on a different transfer instrument, such as the SCC.

Is There a List of U.S. Companies Participating in the Swiss-U.S. DPF?

The DoC maintains and publishes a list of U.S. companies that have self-certified and declared to comply with the Swiss-U.S. DPF (DPF List, accessible here). There are exceptions as to which U.S. companies are eligible to participate in the Swiss-U.S. DPF, but Swiss data exporters can rely on the fact that companies on the list published by the DoC are certified.

Is There Still a Need to Execute a Data Transfer Agreement Under the Swiss-U.S. DPF?

Even when disclosing personal data under the Swiss-U.S. DPF, it is typically advisable for data exporters to enter into a suitable data transfer agreement with the data importer. This agreement should include the following, in addition to any other terms governing the relevant data disclosure in the specific circumstances:

• Obligation to comply with the principles of the Swiss-U.S. DPF;
• Obligation to remain duly certified under the Swiss-U.S. DPF;
• Obligation to notify data exporter immediately of a removal of the DPF List and the reason for such removal;
• Mechanism to tackle the consequences of a removal from the DPF List.

What to Do with Existing SCC or Binding Corporate Rules?

In principle, SCC or binding corporate rules that were concluded earlier are no longer necessary for data disclosures to a U.S. data importer who participates in the Swiss-U.S. DPF. Companies should however carefully consider whether to fully migrate their disclosures of personal data to the U.S. to the Swiss-U.S. DPF as there may be valid reasons to continue relying on the SCC or binding corporate rules:

• If the U.S. data importer is removed from the DPF List, the data disclosure is no longer considered to be covered by an adequate level of protection. Existing SCC or binding corporate rules could still serve as a fallback to ensure adequate protection; and
• The validity of the EU-U.S. DPF is already being challenged through lawsuits in the EU, as its predecessors were. Should the CJEU ultimately decide to invalidate the EU-U.S. DPF, this will in all likelihood also impact the Swiss-U.S. DPF and companies relying exclusively on the Swiss-U.S. DPF may be left unprotected. Thus, maintaining existing SCC or binding corporate rules may serve as a protection should the Swiss-U.S. DPF be invalidated at some point.

What Are the Consequences of a Removal from the DPF List?

U.S. companies may fall off the DPF List of participating companies if:

• They voluntarily withdraw from the Swiss-U.S. DPF;
• They fail to complete their annual re-certification; or
• They persistently fail to comply with the principles.

For data disclosures that occurred prior to the removal of the U.S. company from the DPF List, the Swiss data exporter may argue that these disclosures were made lawfully under the adequacy decision.

For data disclosures that occurred after the removal of the U.S. company from the DPF List, the Swiss Federal Council’s adequacy decision does not apply. Instead, the parties must guarantee an adequate level of data protection by other means recognized by the law, including SCC or binding corporate rules. If no such guarantees can be put in place, the U.S. data importer should return or delete the personal data.

Is the Swiss-U.S. DPF a Permanent Solution for Swiss-U.S. Data Disclosures?

In principle, the Swiss-U.S. DPF is intended to be a permanent solution. However, it marks the third attempt of Swiss and U.S. authorities to facilitate transatlantic disclosure of personal data, after the CJEU struck down first the EU-U.S. Safe Harbor Framework, and then the EU-U.S. Privacy Shield (with the so-called «Schrems II» decision, see our Bulletin of July 16, 2020), which in each case also ended the corresponding arrangements between Switzerland and the U.S. Given that the EU-U.S. DPF is already being challenged through lawsuits in the EU, time will tell whether the EU-U.S. DPF and the Swiss-U.S. DPF will withstand the judicial review.

In addition, the U.S. legislation may change. The Swiss Federal Council will constantly monitor the relevant U.S. decisions and review the adequacy decision on a regular basis. The first review will take place one year from now. If the Swiss-U.S. DPF malfunctions, the adequacy decision will be adjusted or withdrawn.