Swiss-US Privacy Shield Rollout:

What to Expect
April 13, 2017

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 1
TRUSTe Inc., 2017
Todays Speakers

Michelle Sylvester-Jose
Policy Advisor, International Trade Administration

Nasreen Djouini
Policy Advisor, International Trade Administration

Josh Harris
Director, International Regulatory Affairs, TRUSTe

Privacy Insight Series

v - truste.com/insightseries 2
TRUSTe Inc., 2017
Todays Agenda

Welcome & Introductions

How the Swiss-U.S. Privacy Shield was developed and
the differences between the Swiss and EU Privacy Shield
Frameworks
What you should do to prepare to self-certify to Privacy
Shield for the first time, or to add the Swiss U.S. Privacy
Shield to your EU-U.S. Privacy Shield certification
How to navigate the self-certification process on
privacyshield.gov
How to re-certify on an annual basis.
Q&A

Privacy Insight Series

v - truste.com/insightseries 3
TRUSTe Inc., 2017
 Swiss-U.S. Privacy Shield
whats different
Nasreen Djouini, Policy Advisor, International Trade Administration

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 4
TRUSTe Inc., 2017
Developing the Swiss-U.S. Privacy Shield

The Swiss-U.S. Privacy Shield reflects our shared objectives

of enhancing privacy protections for individuals and
providing certainty for businesses.

Switzerland recognized the adequacy of protection provided

by the Privacy Shield Principles as meeting the requirement
of Article 6 of the Swiss Federal Act on Data Protection.

The Swiss-U.S. Privacy Shield includes the Privacy Shield

Principles, along with letters describing oversight and
enforcement by the U.S. Government and the broader U.S.
privacy framework.

Privacy Insight Series

v - truste.com/insightseries 5
TRUSTe Inc., 2017
Difference between the EU-U.S. and Swiss-U.S. Privacy Shield
Frameworks?

Swiss Data Protection and Information Commissioner

authority
Modification to the Choice Principle
Immediate applicability of Onward Transfer Principle
Will put in place the binding arbitration option at first
annual review

Privacy Insight Series

v - truste.com/insightseries 6
TRUSTe Inc., 2017
Preparing to self-certify to Privacy Shield for the first time, or
to add the Swiss-U.S. Privacy Shield

Removing references to the U.S.-Swiss Safe Harbor

Adding a commitment to the Swiss-U.S. Privacy
Shield
Adding a reference to the Swiss FDPIC (if applicable)
Sample language to be used in a privacy notice
Self-certifying to one or both Frameworks

Privacy Insight Series

v - truste.com/insightseries 7
TRUSTe Inc., 2017
What to Expect When Applying
Michelle Sylvester-Jose, Policy Advisor, International Trade Administration

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 8
TRUSTe Inc., 2017
Payment Structures

Single Add a Both

Annual Revenue Framework: Framework: Frameworks:

$0 to $5 million $250 $125 $375

Over $5 million to $25 million
$650 $325 $975
Over $25 million to $500 million
$1,000 $500 $1,500
Over $500 million to $5 billion
$2,500 $1,250 $3,750
Over $5 billion
$3,250 $1,625 $4,875

Privacy Insight Series

v - truste.com/insightseries 9
TRUSTe Inc., 2017
Application Process

Organization Information
First Time? Select Your Framework(s)
Display Name vs. Legal Name
Organization Contact vs. Corporate Officer
Covered Entities

Privacy Insight Series

v - truste.com/insightseries 10
TRUSTe Inc., 2017
Covered Data and Dispute Resolution

Must opt-in for data you cover, and Recourse Mechanism

HR data for EU and DPA
compliance

Privacy Insight Series

v - truste.com/insightseries 11
TRUSTe Inc., 2017
Adding Swiss

Privacy Insight Series

v - truste.com/insightseries 12
TRUSTe Inc., 2017
Last Steps and Finalizing your Self-Certification

Last Steps:
Must include policies for all data covered (HR and non-HR)
Payment Notification
Processing Self-Certifications
Review Time
Case Comments
Viewing your record on the Privacy Shield List

Privacy Insight Series

v - truste.com/insightseries 13
TRUSTe Inc., 2017
FAQs

FAQs on privacy policies, new requirements, etc. available on Privacy

Shield website
https://www.privacyshield.gov/Program-Overview

Privacy Insight Series

v - truste.com/insightseries 14
TRUSTe Inc., 2017
Third Party Verification & Dispute
Resolution Providers
Josh Harris, Director of International Regulatory Affairs, TRUSTe

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 15
TRUSTe Inc., 2017
Privacy Practices Verification

Companies must take steps to verify assertions made around Swiss

Privacy Shield compliance are true
Third party compliance reviews can be used to satisfy this
requirement
Third party reviews must:
Verify privacy policies are being complied with
Consumers are informed of how they can file a compliant
Companies must be able to demonstrate an external review has
been successfully completed annually
This can be provided by the external compliance review provider
Companies must retain records of their implementation of the Privacy
Shield Principles and privacy policies
Records must be provided upon request in context of a Privacy Shield related
investigation

Privacy Insight Series

v - truste.com/insightseries 16
TRUSTe Inc., 2017
Dispute Resolution

Companies must respond to initial complaint within 45-days

Alternative mechanism must be in place to address Swiss Privacy
Shield related complaints
Independent Dispute Resolution Provider (IDR) can be used for consumer data
The Swiss DPA must be used for employee data
Must be provided free of charge to individuals
Companies must provide information regarding their IDR Provider in
their privacy notice
Name of the designated provider and how to contact them
Whether the provider is Swiss Federal Data Protection and Information
Commissioner (FDPIC) or U.S. based
That it is available free of charge
Binding arbitration is available after other mechanisms have been
exhausted
Privacy Insight Series
v - truste.com/insightseries 17
TRUSTe Inc., 2017
Requirements for IDR Providers Under Swiss Privacy Shield

Make information available to consumers about Privacy Shield and

the IDR Providers role under Privacy Shield
Needs to be accessible from IDR Providers website
Link to the DOCs Swiss Privacy Shield site
Explanation of how to file a complaint, dispute resolution process and
timeframes, and potential remedies
Report annually to the DOC regarding number, types, and outcomes
of complaints received, and length of time to resolve.
Reporting in the aggregate
IDR Providers must notify DOC of companies that fail to resolve
Privacy Shield related complaints.

Privacy Insight Series

v - truste.com/insightseries 18
TRUSTe Inc., 2017
 Levels of Third Party Assistance
Dispute
Verification Assessment
Resolution
Dispute Resolution mechanism (non

HR)
Dispute Resolution Seal/Button (non

HR)
Comprehensive Assessment

Customer and / or HR Data
Online Asset Review and Scanning
Findings Report
Searchable Audit Trail
DOC Registration Assistance
Ongoing Guidance
Remediation Assistance
Verification Seal
Verification Letter of Attestation
Verification Listing for DOC

19 Privacy Insight Series

v - truste.com/insightseries 19
TRUSTe Inc., 2017
Questions?

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 20
TRUSTe Inc., 2017
Contacts
Josh Harris email: jharris@truste.com
Michelle Sylvester-Jose email: michelle.sylvester-jose@trade.gov
Nasreen Djouini email: nasreen.djouini@trade.gov

v TRUSTe Inc., 2017

Privacy Insight Series
v - truste.com/insightseries 21
TRUSTe Inc., 2017
Thank You!
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on April 27, 2017 ROI of Privacy: Building a Case for Investment
https://info.truste.com/roi-of-privacy-webinar.html

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

and past webinar recordings.
v TRUSTe Inc., 2017
Privacy Insight Series
v - truste.com/insightseries 22
TRUSTe Inc., 2017