eDiscovery Daily Blog

• January 20, 2017

This appears to be our week to cover privacy stories on the blog.  First, The Sedona Conference® (TSC) released the public comment version of its new Data Privacy Primer (which we covered on Tuesday).  Also, last week, U.S. and Swiss authorities announced final agreement on the Swiss-U.S. Privacy Shield Framework.

The JD Supra article Swiss-U.S. Privacy Shield Finalized (written by Michael Young of Alston & Bird and originally sourced here), indicates that the Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland.  Like the EU-US Privacy Shield was adopted to replace the old Europe Safe Harbor agreement after it declared invalid by the by the European Court of Justice, this Framework is a successor to the former Swiss-U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of European Safe Harbor.

U.S. companies may participate in the Framework through an application to the International Trade Association in the U.S. Department of Commerce. Starting April 12, U.S. companies may make an application self-certifying their compliance with Swiss-U.S. Framework Principles.

As Young’s article notes, the Swiss-U.S. Privacy Shield Framework is modeled off of the EU-U.S. Privacy Shield Framework approved by the EU Commission in July last year and the two Framework principles are largely identical. However, they differ slightly with regard to the definition of “sensitive information” – the Swiss Framework expressly includes within its definition of “sensitive information” any “information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings (unlike the EU-U.S. Framework).” As a result, companies who certify their compliance under the Swiss-U.S. Framework may need to implement further measures to secure opt-in consent if such “sensitive information” is shared with third parties or used for purposes which were not clear at the time of original collection.

Because the EU-U.S. Privacy Shield Framework extended only to members of the European Economic Area (EEA) and Switzerland is not a member of the EEA, U.S. and Swiss officials sought a separate Privacy Shield agreement.  Since the EU-U.S. Privacy Shield Framework already faces legal challenges in European courts, it will be interesting to see if the Swiss-U.S. Framework quickly faces those same challenges.

The Swiss-U.S. Privacy Shield Framework is contained within this 69 page document which includes Department of Commerce letters describing the Framework (the Framework itself begins on page 13 of the document).  For more information on the self-certification program, click here.

So, what do you think?  Will both Privacy Shield Frameworks survive legal challenges?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.