30th Annual Report 2022/2023: New law strengthens the FDPIC
Bern, 26.06.2023 - The totally revised Data Protection Act, including its implementing legislation, comes into force on 1 September 2023. The FDPIC's work to ensure a smooth transition to the new law is proceeding according to plan. The new website will be continuously updated and the reporting portals accessible there will all be in operation by the date the new law comes into force. From this point on, the FDPIC will gradually expand its investigative activities in the exercise of its new powers. This requires an efficient use of resources, to which, among other measures, the publication of a new factsheet for IT activists should contribute. In view of the growing number of exemptions from scrutiny under the Freedom of Information Act and the increasingly common use of emergency law, the FDPIC will from now on publish a list of all exemptions permitted under specific federal acts.
New Data Protection Act
Thirty years after the Federal Act on Data Protection (FADP) came into force, the FDPIC is today publishing its 30th annual report. On 1 September 2023, a completely revised version of the FADP, along with its implementing ordinances, will come into force, offering businesses, the Federal Administration and the federal data protection supervisory authority new instruments to meet the justified expectations of the public for robust and constitutionally guaranteed protection of their privacy and informational self-determination in the digitalised world.
New website and reporting portals
The work of the FDPIC team to ensure a smooth transition to the new law is proceeding according to plan. Since the beginning of May 2023, we have been offering a new website, the content of which is aligned with the new FADP and is constantly being expanded. Two new online reporting portals can also be accessed there: the processing registers of the federal bodies (DataReg), and the portal for reporting data security breaches (DataBreach). A third portal with a list of company data protection advisors will follow in the course of the summer.
Intensification of supervision
From the date on which the revised FADP comes into force, the FDPIC will intensify its supervisory activities in exercising its new powers and gradually increase the number of formal investigations. Among other changes, the current requirement that the FDPIC has only been able to open a fact-finding investigation into data processing by private individuals if there has been a system error and the privacy of a large number of persons has been breached will no longer apply.
Factsheet for ethical hackers
In the last reporting period, data protection and security breaches were again reported to the FDPIC by well-meaning hackers commonly referred to as ethical hackers or "white hat hackers". For example, after receiving a tip-off from a member of the public, we carried out a fact-finding investigation into an inadequately secured database for private COVID-19 test centres. After it became apparent that the responsible parties had taken appropriate immediate measures after the issue had been brought to their attention and were able to prove that no third parties had accessed the data apart from the white hat hacker, we closed our investigation without making any recommendations. To ensure that all those involved act efficiently and in accordance with data protection legislation in such cases, the FDPIC has drawn up a fact sheet with practical suggestions on how to proceed.
Intimidating effect of monitoring devices
Recent reactions to the public tender to procure an SBB customer frequency measurement system suggest that the Swiss public is concerned by the increasing number of monitoring devices on private and public premises. These devices have a so-called "chilling effect", making people feel restricted in their decisions on where to go and what to do. It is also worrying that these increasingly inexpensive monitoring devices can be linked to the internet and other databases or even be capable of autonomous data processing if they are configured suitably. The FDPIC therefore advises those responsible for digital projects to exercise restraint when using monitoring technology. In the medium term, it considers it advisable to introduce further federal provisions on the collection of biometric data, such as face or voice data, and their automated analysis and recognition.
List of exemptions to the Freedom of Information Act grows
After the COVID-19 pandemic, which saw numerous decisions taken under emergency law, and the bailout of the electricity industry, the Federal Council, in issuing the emergency ordinance to rescue Credit Suisse, has once again within a few months made administrative activities exempt from scrutiny under the Freedom of Information Act. The emergency exclusion of citizens' rights of access guar-anteed by the Freedom of Information Act raises fundamental legal questions and has prompted the FDPIC to publish a list of all exemptions under specific federal acts in its annual report. This list will also be published on our website.
Note for journalists:
The Commissioner, Adrian Lobsiger, and his deputy, Florence Henguely, will be available for interviews with the media. For coordination purposes, interview requests should be sent to the media office before the media conference if possible: email@example.com.
Address for enquiries
Federal Data Protection and Information Commissioner (FDPIC), Tel. +41 58 464 94 10, firstname.lastname@example.org
Federal Data Protection and Information Commissioner
Last modification 16.05.2023