On 21 December the Swiss Federal Council opened its consultation on the complete revision of the federal law on data protection. The draft revision has been eagerly anticipated since the Federal Council tasked the Federal Justice and Police Department (EJPD) with its revision in April 2015. Interested parties now have until 4 April 2017 to comment on the draft.
The statutory revision aims to make data processing more transparent for the persons concerned and give them greater control over the processing of their data, increase the obligations of those responsible for data processing and strengthen the role of the Federal Data Protection and Information Commissioner (FDPIC), particularly by giving him or her the authority to issue mandatory orders.
A further - entirely essential - objective is to guarantee a level of data protection in Switzerland which also meets the requirements of European law, as otherwise the cross-border data traffic essential for the Swiss economy would be made unreasonably difficult. It is precisely with regard to compatibility with EU law that we hope to see rapid progress in the further legislative activities following the conclusion of the consultation, so that the revised law can enter into force in May 2018, the date from which the provisions of the new European General Data Protection Regulation will also apply.
Businesses are strongly advised to adapt to the new legislation at this early stage and to make the necessary preparations to ensure future compliance with data protection laws. This includes, for example, analysing data processing procedures and the risks associated with them, the existing in-house guidelines and instructions and the agreements with third parties to whom data is forwarded or who process data on their behalf, and, on the basis of this, reviewing the adaptation requirement and preparing the measures necessary for implementation.
The draft revision includes the following main innovations:
Notification of persons concerned: The duty to inform the persons affected by the collection of personal data is extended. In particular, it will now be obligatory under Swiss law to inform those affected when decisions that are associated with legal implications or have significant consequences for them are based solely on the automated processing of data.
Data protection impact assessment: If data processing is expected to lead to increased risk for the privacy or fundamental rights of the persons concerned, a data protection impact assessment must be carried out beforehand and the FDPIC notified of its results. The FDPIC may object to planned data processing and may order amendments to prohibit the data processing if necessary.
Reporting of data protection violations: Unauthorised data processing and loss of data must be reported to the FDPIC promptly, except where there is unlikely to be any risk for the persons concerned. The persons concerned must also be informed if necessary for their protection or at the request of the FDPIC.
Data protection by design and by default: When processing data, reasonable steps must be taken from the point at which the data processing is planned to minimize the risk of data privacy violations and to prevent data privacy violations. Furthermore, suitable default settings must be provided in technical systems to ensure that the processing of data is normally only possible for the relevant purpose.
Documentation obligation: Those responsible for data processing are obliged to document their processing activity.
Best practices: The FDPIC will now be given competence, with the involvement of interested parties, to draw up recommendations for best practices, which will put the statutory data protection provisions into concrete form. It should also be possible to submit best practices drawn up independently of the FDPIC, to the FDPIC for review and approval. The advantage of such best practices is that the data protection provisions, which are put into concrete form by the best practices, are regarded as having been complied with if the best practices are followed. The best practices thus establish legal certainty, which, considering that the sanctions against the infringement of data protection obligations will be far tougher, is of considerable advantage.
Contract data processing: Provision will now be made whereby anyone processing personal data on behalf of customers may only subcontract to a third party subject to the prior written consent of the customer.
Forwarding of data abroad: A new rule, which will be useful for companies operating internationally, makes provision for the Federal Council to assess that a reasonable level of data protection exists in a certain country, according to which the forwarding of data to that country is permissible. Such an authoritative assessment possibility and the associated legal certainty for companies, has not existed before.
Sanctions: The maximum penalty for violation of data protection obligations has hitherto been only CHF 10,000. The maximum penalty has now been increased to CHF 500,000, and the obligations of which the violation is punishable by law are extended, and include e.g. failure to notify persons concerned, to take reasonable steps to ensure data security, to carry out a data protection impact assessment, to take steps to protect data by design and by default, or to document data processing. Infringement of the obligation to report to the FDPIC is also punishable, particularly also in the event of data protection violations. Sanctions are now also possible for grossly negligent breach of obligation, the maximum fine being reduced to CHF 250,000 in this case.
Legal persons: The previous data protection act also protected the data relating to legal persons. This is no longer the case under the new act, in line with EU law.
Registration of data collections: The previous obligation to register certain data collections with the FDPIC is waived for private companies and organisations. It is compensated for by the increased notification obligations and by the obligation to document data processing.
The previous data protection legislation was “toothless” due to the lack of any suitable sanctions and therefore data protection compliance was also not a top priority in many companies. Unfortunately the proposed Swiss data protection legislation does now involve a tightening of sanctions, but does not achieve the severity to be introduced by the EU with effect from 15 May 2018 (where provision will be made for companies to be fined up to a maximum of 4% of their entire annual global turnover).
Swiss companies, which are to be subject not only to the new Swiss Data Protection Act but also to the EU General Data Protection Regulation, must therefore also take appropriate steps to prepare for data protection compliance in particular – and especially with regard to the higher penalties in the EU.
Together with the draft for the complete revision of the Data Protection Act, the Federal Council has also put out for consultation the legislative amendments necessary for the implementation of the EU directive on data protection for personal data in the area of law enforcement and mutual assistance in criminal matters, which is part of the Schengen acquis, and the draft of the revised Council of Europe Convention 108 for the protection of individuals with regard to automatic processing of personal data and the corresponding supplementary protocol. It is thus proposed to implement an entire “data protection package” simultaneously within the same legislative process.