After the decision taken by Parliament to split the revision of the Federal Act on Data Protection (FADP) into two parts, the Schengen Data Protection Act (SDPA) came into force on 1 March 2019. The necessary adaptations to Swiss law to bring it in line with European legislation and comply with the Schengen acquis have thus been made. The SDPA is intended as a transitional law and contains several innovations. Among other things, it gives the FDPIC investigative powers and the authority to issue rulings within the framework of the application of the Schengen acquis in criminal matters.
In its deliberations on the revision of the Federal Data Protection Act, Parliament decided to split the draft document on the total revision of the FADP into two parts and, as a first step, to deal with the amendments necessary to fall in line with the Schengen acquis. On this basis, the Federal Act on the Implementation of the Directive (EU) 2016/680 was adopted, and it came into force on 1 March 2019. This Act brings the Schengen Data Protection Act (SDPA) into force and amends various acts applicable to Schengen cooperation in criminal matters.
The SDPA applies in particular to the processing of personal data by federal bodies in criminal matters within the framework of the application of the Schengen acquis. The Federal Office of Police (fedpol), the FOJ in the field of international mutual legal assistance in criminal matters and the Office of the Attorney General of Switzerland are thus affected. The SDSG does not apply to cantonal authorities, since it is incumbent on the cantonal legislators to transpose the new requirements of the Directive (EU) 2016/680 into their legislation if necessary.
The aim of the Schengen Data Protection Act is to implement the Directive (EU) 2016/680, which, unlike the General Data Protection Regulation, is a further development of the Schengen acquis for Switzerland. It is planned to integrate the SDPA into the revised FADP, and to repeal the SDPA as soon as the revised FADP comes into force.
The SDPA mainly introduces the following innovations:
- genetic and biometric data that uniquely identify a person are now listed as sensitive personal data;
the term ‘profiling’ now replaces the ‘personal profile’;
- data protection through technology and data protection-friendly default settings (privacy by design and default) are anchored as principles;
- automated individual decisions are expressly regulated;
under certain circumstances, federal bodies must conduct data protection impact assessments and, in certain cases, consult the FDPIC;
- they must report data breaches to the FDPIC that are likely to pose high risks to the fundamental rights of the person concerned;
- the FDPIC can open new investigations and issue rulings as an administrative measure.
These new instruments will most likely also be introduced in other areas as a result of currently ongoing revision of the FADP.