Introduction
The Swiss-U.S. Data Privacy Framework (DPF), also known as the Swiss-U.S. DPF, became operational on September 15, 2024. It enables certified U.S. organizations to transfer personal data from Switzerland without any additional safeguards outlined under Switzerland’s Federal Act on Data Protection (FADP).
The Swiss-U.S. DPF incorporates stricter data protection principles and guarantees stronger enforcement than its predecessors, the Swiss-U.S. Privacy Shield and Safe Harbor Framework. The US Department of Commerce’s International Trade Administration (ITA) maintains a publicly available authoritative list of U.S. companies that have self-certified under the Swiss-U.S. DPF. Let’s dive a bit deeper into the framework and understand its value.
What is the Swiss-U.S. DPF?
The Swiss-U.S. DPF is a framework created to facilitate the secure transfer of personal data from Switzerland to accredited U.S. institutions. The Swiss Federal Administration and the U.S. Department of Commerce collaborated to develop the DPF, which provides U.S. organizations with a reliable way to transfer personal data from Switzerland to the U.S.
This framework protects individuals’ personal information during transatlantic transfers by ensuring that participating U.S. organizations comply with data protection principles and guarantees in compliance with the DPF, providing an adequate level of protection to the transferred personal data.
In a statement, the U.S. Secretary of Commerce Gina Raimondo discussed Switzerland's adequacy ruling on the Swiss-U.S. DPF and emphasized its importance for enabling legal data transfers between Switzerland and the U.S.:
“The United States welcomes the Swiss Federal Council’s finding that the Swiss-U.S. DPF provides an adequate level of protection to transfer personal data from Switzerland to the United States. Effective September 15, 2024, this change enables organizations to transfer personal data from Switzerland to Swiss-U.S. DPF-certified organizations in the United States.
The Swiss-U.S. DPF offers U.S. businesses conducting business with Switzerland an affordable and efficient solution for transferring personal data in compliance with Swiss law. This mechanism will help thousands of small- and medium-sized businesses who rely on data transfers to serve global customers and perform essential business functions.”
Key Aspects of the Swiss-U.S. DPF
The Swiss-U.S. DPF encourages compliance with Swiss data protection regulations by providing a robust framework for lawful transatlantic data transfers from Switzerland to U.S.-certified businesses. Key aspects of the framework include:
I. Core Principles
Organizations that are certified under the Swiss-U.S. DPF must comply with several core principles, such as:
a. Notice
Organizations participating in the Swiss-U.S. DPF must provide clear notice to individuals about the following:
- their participation in the DPF,
- data collection practices,
- purposes of data use,
- rights to access and limit data use,
- third-party disclosures,
- dispute resolution options, and
- investigatory and enforcement authorities.
This notice must be provided in clear language when personal information is first requested or before its use or disclosure for new purposes.
b. Choice
Organizations must provide individuals with the option to opt-out of third-party disclosures or the use of their data for purposes that are materially different from the original purpose for which the data was initially collected. The opt-out mechanisms must be clear, conspicuous, and readily available to the individuals. However, disclosures to third-party processors are not subject to the above requirement provided the processor performs its tasks as per the instructions from the organization and has entered into a binding legal agreement with the organization.
Additionally, for disclosing sensitive data to third parties or using it for purposes that are materially different from the original purpose for which the data was collected, organizations must obtain affirmative opt-in consent from the individuals
c. Accountability for Onward Transfer
Organizations that transfer personal data to third-party processors must comply with the Notice and Choice Principles and enter into binding legal agreements with the processors to ensure that the data is processed for specified and limited purposes, providing an adequate level of protection comparable to that provided by the Principles. Furthermore, the third-party processors must notify the organization if they are unable to provide an adequate level of protection to the data and take reasonable measures to stop and remediate unauthorized processing.
d. Security
Given the risks associated with processing and the nature of the personal data, organizations that create, maintain, use, or disseminate personal information must take reasonable and appropriate safeguards to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction.
e. Data Integrity and Purpose Limitation
Organizations must ensure that personal data is accurate, comprehensive, and up to date and restrict it to what is necessary for processing. Except for uses like research or archiving, data must be kept for as long as necessary and not utilized in ways that are inconsistent with its intended uses, all the while abiding by the Principles.
f. Access
Individuals must have access to the personal data that an organization has about them and be able to correct, amend, or delete it if it is incorrect or has been processed against the Principles, except for situations in which the costs or burden of granting access would be out of proportion to the risks to the individual’s privacy in question or where the rights of others would be violated.
g. Recourse, Enforcement and Liability
The DPF outlines mechanisms for ensuring compliance, an independent dispute resolution process that does not charge individuals, and strict penalties for non-compliance for effective privacy protection. In addition to addressing complaints, assisting authorities, and taking accountability for subsequent data transfers, organizations must ensure their privacy practices align with their stated policies. Public disclosure of non-compliance findings and binding arbitration may be necessary, with regulatory agencies such as the DOT and FTC providing monitoring to ensure accountability.
II. Exemptions under the Swiss-U.S. DPF
a. Sensitive Data
Organizations are exempt from obtaining opt-in consent for sensitive data processing if the processing is essential to an individual's interests, required for legal claims, medical care, legitimate non-profit activities, employment law obligations, or pertains to data that the individual has publicly disclosed.
b. Journalism
Press freedom is given priority when weighing privacy and journalistic activities under the U.S. First Amendment. The DPF does not apply to personal data that is gathered for broadcast, publication, or other form of public communication of journalistic material. In addition, the previously published material disseminated from media archives is also exempt from the application of the DPF.
c. Secondary Liability
The DPF exempts Internet service providers (ISPs), telecom carriers, and other entities from liability when they merely transmit, route, switch, or cache data on behalf of another entity. The Swiss-U.S. DPF does not create secondary liability. A company would not be held accountable if it only served as a conduit for data sent by third parties and did not choose how and why to process that personal data.
When required by law or to protect legitimate organizational interests, auditors and investment bankers may process personal data during audits, due diligence, or similar activities without the individual's knowledge or consent. This involves maintaining confidentiality in legal requirements, compliance monitoring, and transactions such as mergers and acquisitions, where early disclosure can be detrimental or illegal.
III. Self-Certification
To allow data transfers from Switzerland, the U.S. businesses must self-certify to the Department of Commerce that they are in accordance with the Swiss-U.S. DPF Principles. This involves having their privacy practices in line with the Principles, publicly committing to ensure compliance with them and implementing them into practice, and being subject to enforcement by authorities. Participants must renew their certification annually to remain eligible.
IV. Data Subject Rights
The DPF empowers data subjects with rights such as:
a. Right to Access
The Access Principle ensures that individuals can verify whether their data is being handled, assess its legality and accuracy, and request for corrections or deletions as necessary. In response to requests for access, organizations must operate in good faith, interacting with individuals to address ambiguous questions, redacting protected material where needed, and outlining access limitations.
b. Right to Obtain Confirmation
Individuals can obtain access and verify whether an organization has their personal data. Organizations are allowed to charge a fair fee for access, particularly for excessive or repetitive requests, but they are not allowed to refuse access if the individual agrees to pay.
Organizations may restrict recurring access requests according to criteria such as the frequency and intent of data updates, demand identity verification before granting access, and must reply clearly and concisely within a reasonable amount of time.
V. Privacy Policy Requirements
Participating organizations must revise their privacy policies to comply with the DPF. After the adequacy recognition, privacy policy updates must be finished within three months (by December 15, 2024).
VI. Contractual Obligations
Transferring personal data from Switzerland to the U.S. for processing necessitates data processing contracts, which ensure data processors comply with controllers' guidelines, put in place sufficient security measures, and honor individuals' rights.
While transfers between controllers necessitate contracts to ensure protection similar to the Swiss-U.S. DPF Principles, even if the receiver is not a participant, transfers within corporate groups may rely on internal regulations to ensure adequate protection.
VII. Enforcement and Compliance Mechanisms
a. Recourse Mechanisms
Organizations must ensure transparency, offer free and impartial dispute resolution within 45 days, and encourage individuals to file concerns with organizations directly first. In addition to providing complete procedural guidance to individuals, they must publish information about their services and an annual report that includes statistics on complaints, resolution times, and results.
b. FTC Action
The FTC investigates noncompliance with the DPF Principles and may issue cease-and-desist orders or impose penalties.
Organizations that consistently violate the DPF Principles may be removed from the Data Privacy Framework List, forfeit the benefits that come with it, and have to destroy or return any personal data they have obtained. The Department ensures transparency regarding compliance status and provides entities with 30 days to respond to removal decisions.
Impact on Businesses
The DPF significantly impacts businesses engaged in transatlantic data transfers.
a. Streamlined Data Transfers
Enables seamless cross-border data transfers between the U.S. and Switzerland while ensuring compliance with Swiss data protection regulations.
b. Reduces Legal Complexity
Streamlines legal obligations and processes for organizations that handle the personal data of Swiss individuals.
c. Fosters Transparency and Trust
Enhances operational transparency and trust with relevant stakeholders.
d. Compliance Requirements
Requires organizations to ensure a smooth dispute resolution procedure, adopt robust data protection measures, and ensure self-certification.
e. Credibility at Stake
Non-compliance can lead to removal from the Data Privacy Framework List and other adverse consequences, negatively impacting business reputation and operations.
VIII. Enforcement
Compliance with these principles is monitored by the U.S. Department of Commerce (DoC) and enforced by the U.S. Federal Trade Commission.
IX. How Securiti Can Help
Navigating ever-evolving privacy requirements can be complex, especially in relation to cross-border data transfers. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the Swiss-US Data Privacy Framework (DPF).
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
