{"id":2985,"date":"2017-02-24T18:30:00","date_gmt":"2017-02-25T00:30:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2985"},"modified":"2024-12-18T14:14:11","modified_gmt":"2024-12-18T20:14:11","slug":"privacy-shield-replaces-safe-harbor","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/","title":{"rendered":"Swiss U.S. Privacy Shield Replaces Safe Harbor"},"content":{"rendered":"\t\t<section id=\"block_016a1f71ab0f6ee7033d7a16605c02c1\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Swiss U.S. Privacy Shield Replaces Safe Harbor<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_3a7f778b8f18cf8e570f0b8efcc44c8f\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t<div class=\"person-wrap\">\n\t\t\t<span>\t\t\t\t\t\t\t<div class=\"img-holder\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"110\" height=\"110\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/people-placeholder-lt-blue.png\" class=\"attachment-full size-full wp-post-image\" alt=\"\" \/>\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"text-holder\">\n\t\t\t\t\t\t\t\t\t\t\t<strong class=\"block name\">Annie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>In January 2016, the United States Department of Commerce and Switzerland\u2019s Federal Council declared that the new\u00a0<a href=\"https:\/\/trade.gov\/td\/services\/odsi\/swiss-us-privacyshield-framework.pdf\" target=\"_blank\" rel=\"noopener\">Swiss-US Privacy Shield Framework<\/a>\u00a0will succeed the Swiss-US Safe Harbor framework.<\/p>\n<p>The Swiss-US Safe Harbor framework was declared invalid in October 2015 following the EU Court of Justice\u2019s decision that it was an inadequate legal mechanism for personal data transfers to the US.<\/p>\n<p>Since then, officials have drafted a new framework to ensure that the Swiss-US Privacy Shield Framework improves upon the Safe Harbor framework by including stricter data protection principles.<\/p>\n<h2>New requirements and principles as Swiss-US Privacy Shield replaces Safe Harbor<\/h2>\n<p>The new framework includes<\/p>\n<ul>\n<li>enhanced requirements around notice, onward transfers and data retention,<\/li>\n<li>improved framework management by\u00a0<a href=\"https:\/\/blog.trustarc.com\/blog\/2015\/08\/18\/13-companies-settle-ftc-false-us-eu-us-swiss-safe-harbor-claims\/\" target=\"_blank\" rel=\"noopener\">US authorities<\/a>,<\/li>\n<li>and new mechanisms for individuals to obtain recourse for violations.<\/li>\n<\/ul>\n<p>While the replacement occurred immediately,\u00a0<strong>the Department of Commerce will begin accepting certifications on April 12, 2017,<\/strong>\u00a0so that organizations can review the new Swiss-US\u00a0Privacy Shield\u00a0Principles.<\/p>\n<p>The mechanism for personal data transfers from member countries of the European Economic Area (EEA) is the\u00a0EU-US Privacy Shield.<\/p>\n<p>Because\u00a0Switzerland is not a member of the EEA, Swiss and US officials developed this separate agreement.<\/p>\n<p>Although the two agreements are separate, the Swiss-US Privacy Shield framework parallels the EU-US Privacy Shield framework in many ways.<\/p>\n<p style=\"padding-left: 40px\">The Federal Council stated that\u00a0<em><strong>\u201cthe fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU\/EEA area in relation to trans-Atlantic data flows.\u201d<\/strong><\/em><\/p>\n<p>While the two agreements are similar in many ways, there are still some areas where the two agreements vary.<\/p>\n<p>Organizations should not assume that certification for EU-US Privacy Shield translates directly to certification for Swiss-US Privacy Shield.<\/p>\n<p>An assessment and verification should be conducted for an organization\u2019s privacy posture against the new Swiss-US framework.<\/p>\n<h2>Are you ready for the end of the Privacy Shield grace period?<\/h2>\n<p>Soon companies that self-certified with the Department of Commerce before the September 30, 2016 deadline will have the 9 month \u201cgrace period\u201d come to a close.<\/p>\n<p>The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle.<\/p>\n<p>The grace period ends soon, meaning that the deadline is fast approaching.<\/p>\n<p><strong>The Privacy Shield \u00a0<a href=\"https:\/\/www.privacyshield.gov\/article?id=3-ACCOUNTABILITY-FOR-ONWARD-TRANSFER\" target=\"_blank\" rel=\"noopener\">Accountability for Onward Transfer<\/a>\u00a0principle, Section II, 3.b., states:<\/strong><\/p>\n<p style=\"padding-left: 40px\">To transfer personal data to a third party acting as an agent, organizations must<\/p>\n<p style=\"padding-left: 40px\">(i) transfer such data only for limited and specified purposes;<br \/>\n(ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;<br \/>\n(iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization\u2019s obligations under the Principles;<br \/>\n(iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;<br \/>\n(v) upon notice, including under<br \/>\n(iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and<br \/>\n(vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.<\/p>\n<p>In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence.<\/p>\n<h3>Third party vendor relationship requirements<\/h3>\n<p>When a company has a relationship with a third party vendor involving the transferring personal information to that vendor, the company has to ensure that the vendor will process personal information in a manner consistent with your company\u2019s obligations under the Principle.<\/p>\n<p>The company\u2019s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes.<\/p>\n<p><strong>What\u2019s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.<\/strong><\/p>\n<p>For most companies, this is a lot of work that is extremely time consuming.<\/p>\n<p><strong>Larger organizations may use thousands of vendors.<\/strong><\/p>\n<p>The initial grace period concession was given in light of the time it may take a company to comply with this principle.<\/p>\n<p>For example, a few of the hundred vendors that a typical mid-sized business uses include a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system.<\/p>\n<h3>How will companies adhere to the Accountability for Onward Transfer Principle?<\/h3>\n<p>One option is to\u00a0<a href=\"https:\/\/blog.trustarc.com\/2022\/03\/03\/are-privacy-spreadsheets-compliant\/\" target=\"_blank\" rel=\"noopener\">compile a large spreadsheet<\/a>\u00a0and call, email, or meet with internal business or process owners.<\/p>\n<p>Though this option is cost effective in terms of dollars,\u00a0<strong>it is not cost effective in terms of time, productivity, and data integrity.<\/strong><\/p>\n<p>Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs.<\/p>\n<p>But the\u00a0<a href=\"https:\/\/trustarc.com\/forrester-tei-roi-of-privacy\" target=\"_blank\" rel=\"noopener\">long term savings in terms of time, productivity, and maintaining data integrity will far outweigh initial up-front costs<\/a>.<\/p>\n<h2 class=\"entry-title\">Benefits of early Privacy Shield adoption<\/h2>\n<p>On August 1, 2016 the U.S. Department of Commerce (DOC) started accepting self-certifications for compliance with the Privacy Shield Principles.<\/p>\n<p>A number of companies have already started the process to self-certify with the DOC to take advantage of the grace period offered to early adopters of the Principles to get contracts with third parties updated.<\/p>\n<h3>How the Privacy Shield grace period works<\/h3>\n<p>If a company self-certifies to\u00a0<a href=\"https:\/\/www.privacyshield.gov\/Program-Overview\" target=\"_blank\" rel=\"noopener\">Privacy Shield<\/a>\u00a0within the first two months of the DOC accepting certifications, those companies will be given an additional nine months to get their contracts with third parties updated to meet Privacy Shield requirements.<\/p>\n<p>So if a company certifies to Privacy Shield on September 1st, they have nine (9) months from that date to get their third party contracts updated.<\/p>\n<p>During that time, the Notice and Choice Principles apply to transfers to third parties.<strong>\u00a0The grace period only applies to the Accountability for Onward Transfer Principle.<\/strong><\/p>\n<p>The company needs to be in full compliance with the remaining Principles to self-certify.<\/p>\n<p>Companies self-certifying Privacy Shield compliance with the DOC after September 30th will need to be in full compliance with all the Principles including Accountability for Onward Transfer and must be able to provide a copy of the privacy provisions in their contracts upon request.<\/p>\n<p>This means, a company must have all their ducks in a row (including updating contracts) before they self-certify.<\/p>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/data-transfers\/\" class=\"badge\">Data Transfers<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/eu\/\" class=\"badge\">EU<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>A new EU-US data transfer framework will succeed the Swiss-US Safe Harbor framework. Privacy Shield replaces Safe Harbor &#8211; what you need to know, now.<\/p>\n","protected":false},"featured_media":1261,"template":"","topic-resource":[59,69],"type-resource":[6],"class_list":["post-2985","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-data-transfers","topic-resource-eu","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Swiss U.S. Privacy Shield Replaces Safe Harbor | TrustArc<\/title>\n<meta name=\"description\" content=\"A new EU-US data transfer framework will succeed the Swiss-US Safe Harbor framework. Privacy Shield replaces Safe Harbor - what you need to know, now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/\",\"name\":\"Swiss U.S. Privacy Shield Replaces Safe Harbor | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-woven-gray-test.png\",\"datePublished\":\"2017-02-25T00:30:00+00:00\",\"dateModified\":\"2024-12-18T20:14:11+00:00\",\"description\":\"A new EU-US data transfer framework will succeed the Swiss-US Safe Harbor framework. Privacy Shield replaces Safe Harbor - what you need to know, now.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/privacy-shield-replaces-safe-harbor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-woven-gray-test.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-woven-gray-test.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Swiss U.S. Privacy Shield Replaces Safe Harbor | TrustArc","description":"A new EU-US data transfer framework will succeed the Swiss-US Safe Harbor framework. Privacy Shield replaces Safe Harbor - what you need to know, now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/","url":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/","name":"Swiss U.S. Privacy Shield Replaces Safe Harbor | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-woven-gray-test.png","datePublished":"2017-02-25T00:30:00+00:00","dateModified":"2024-12-18T20:14:11+00:00","description":"A new EU-US data transfer framework will succeed the Swiss-US Safe Harbor framework. Privacy Shield replaces Safe Harbor - what you need to know, now.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/privacy-shield-replaces-safe-harbor\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-woven-gray-test.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-woven-gray-test.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2985","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1261"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2985"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2985"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2985"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}