A new data protection framework enables a secure exchange of personal data between Switzerland and certified US companies. This is the conclusion reached by the Federal Council at its meeting on August 14, 2024. It approved corresponding changes to the Data Protection Ordinance (DSV) and, to this extent, placed the USA on the list of countries with an adequate level of data protection.
According to the communication, under the “Swiss-US Data Privacy Framework”, personal data from Switzerland can in future be transferred to certified companies in the USA – without additional guarantees. The certification is intended to ensure that the data protection measures and data protection guarantees provided are adhered to. In particular, these companies may only process data for the purposes for which it was collected.
Self-certification of companies
It also states that US companies can certify themselves accordingly. The decision as to whether a US company participates in the Data Privacy Framework (DPF) is voluntary, writes the responsible International Trade Organization (ITA). However, as soon as an organization certifies itself to the ITA and publicly declares that it is committed to complying with the DPF principles, this obligation is enforceable under American law.
A decision long overdue?
The Federal Council continues that within the framework, the transfer to third parties such as non-certified companies is not permitted. “Various safeguards are provided for US authorities to access personal data disclosed by Switzerland, including a complaints mechanism.”
Sven Kohlmeier, a lawyer specializing in IT, welcomes the decision in a LinkedIn post. It is long overdue, makes data transfer more business-friendly for companies and is in line with EU practice. The Swico association also speaks of a “long-awaited” agreement and welcomes the framework. It offers legal certainty and simplifies compliance requirements.
List of countries with adequate levels of protection
Since the new Swiss data protection law came into force, personal data may only be transferred abroad without additional guarantees if there is an adequate level of data protection in the receiving country. Which countries meet this requirement is determined by the Federal Council and published on a binding list.
The EU and the USA implemented the “EU-US Data Privacy Framework” in July 2023. With the Swiss-US DPF, the Federal Council is now creating a level playing field in Switzerland.