What impact will Brexit have on cross-border data flows?
31.01.2020 - Following the referendum held in the United Kingdom in June 2016, the British government announced its decision to withdraw from the European Union (Brexit). The United Kingdom will leave the EU on 31 January 2020.
Cross-border transmission of personal data under the Federal Act on Data Protection (FADP)
Cross-border data transmission must comply with the provisions of Article 6 of the Data Protection Act (FADP). According to this article data may only be disclosed abroad if the receiving country has legislation guaranteeing an adequate level of data protection (Art. 6 para. 1 FADP) or if, in the absence of such legislation, it has other provisions or safeguards for ensuring an adequate level of protection (Art. 6 para. 2 letters a and g FADP). Under Article 31 para. 1 let. d FADP, the Federal Data Protection and Information Commissioner (FDPIC) provides an opinion on whether a country’s level of protection is adequate to allow all data transfers to that country. This requires that the data receiver is subject to legislation ensuring a level of protection that is comparable with Swiss law, i.e. legislation that guarantees the rights of the data subjects, that respects the main principles of data protection and that provides for an independent supervisory authority. A list of countries complying with these requirements is published on the FDPIC website (Art. 7 DPO). This list is updated on a regular basis.
United Kingdom and Gibraltar
The UK and Gibraltar currently have an adequate level of data protection; for the moment the FDPIC has no grounds for changing their status on the country list. As regards the legal consequences of Brexit on the protection of personal data as of 1 February 2020, the British authority responsible for protecting personal data, the Information Commissioner’s Office (ICO), states on its website that the UK will continue to guarantee a high level of personal data protection.
However, if the FDPIC decides to change the status of the UK or Gibraltar on its country list, businesses will be notified in due course so that they can prepare themselves, in particular by using standard contracts.
The EU will decide by the end of 2020 whether the UK has an adequate level of data protection. The FDPIC is monitoring developments closely.
FDPIC, Transfer of personal data abroad
FDFA, Directorate for European Affairs DEA: FAQ Brexit
ICO, Statement on data Protection and Brexit implementation
ICO, Data Protection and Brexit
European Commission, UKTF, Task Force for Relations with the United Kingdom
Second chamber concludes consultation on Data Protection Act (DPA)
18.12.2019 - The FDPIC welcomes the fact that the Council of States has debatted the totally revised DPA and has adopted most of the improvements proposed by its Commission in comparison to the National Council version.
The Data Protection Act goes to the Council of States in the winter session
20.11.2019 - The FDPIC welcomes the fact that, within the short time available up to the end of the session, the Political Institutions Committees of the Council of States (PIC-S) has succeeded in adopting a legislative text for the attention of the Plenum of the Council of States that is ready for consultation and significantly improved on the version of the National Council.
Press Release of the PIC-S (in German)
30.08.2019 - Draft of new Data Protection Act to be debated in the National Council
Facebook to introduce special features in Switzerland for the elections
17.10.2019 – On the eve of the federal parliamentary elections on 20 October, Facebook is set to introduce features aimed to appeal to Swiss users of its social media platform. The company confirmed the plans following an enquiry made by the Federal Data Protection and Information Commissioner. The FDPIC welcomes the company’s transparency.
After the Federal Data Protection and Information Commissioner (FDPIC) learned through various reports that Facebook was planning to introduce features on its social media platform in connection with Switzerland’s 2019 parliamentary elections such as a ‘voter button’, he wrote to the company requesting further information.
In his letter, the FDPIC, referring to sections 5.3 and 7 of the FDPIC’s Guide, pointed out that operators of social media networks are called on to provide fair and full information about how the feature should work and how the resulting data is to be processed. Only if such transparency exists can voters gauge whether and to what extent the way in which the data gleaned from the applications in question are processed could have an influence on opinion forming or voter behaviour.
Facebook Ireland Ltd subsequently confirmed that the functions will be introduced on its social media platform one day before the elections and on election day itself. The features are to be displayed on the profiles of all Swiss voters and Facebook users. Facebook is not going to select certain users or user groups.
According to the written assurances given by Facebook, the features are solely intended to raise the awareness of users for the upcoming elections, and ultimately to encourage voter participation by allowing users to show on their profiles that they have cast their vote in the elections. Facebook stresses that the company will not process data relating to the political views of users in this context.
Furthermore, Facebook has demonstrated that the company has taken heed of the transparency requirements set out in our Guide. Facebook users can read about the various functions and features it employs by clicking on the links to the multi-level information pages (See the following links: Facebook Data Policy; Control who can see what you share; Why am I seeing a reminder about an election and voting on Facebook?; What information does Facebook use to show information about elections and government?)
Complete Revision of the Federal Act on Data Protection (FADP) goes to the Commission of the Council of States
25.09.2019 – Now that the National Council has treated the complete revision of the Federal Act on Data Protection (FADP) as first chamber of parliament, the FDPIC hopes that the second chamber will be able to schedule the debate in its winter session and improve the protection of the Swiss population by aligning it with European standards.
4th Update concerning the Libra project
19.09.2019 - At a meeting with the FDPIC in Berne, Libra Association reiterates its commitment to develop a consistent data protection standard for the system. The association will involve the FDPIC in its ongoing development work at an early stage in order to comply with data protection requirements from the outset.
After the Libra Association had provided supplementary information on the Libra project in due time, a personal meeting between the FDPIC and representatives of the Libra Association took place in Berne on 17 September 2019.
The Libra Association reiterated its commitment to develop a consistent data protection standard for the system. This is in line with the position of the FDPIC, who thereby wants to achieve a high level of protection for the personal data of the users.
The Libra Association will involve the FDPIC in its ongoing development work at an early stage in order to comply with data protection requirements from the outset (privacy by design). The association will carry out a risk impact assessment and implement measures necessary for a consistent data protection standard, including necessary organizational measures like the creation of a data protection office.
Draft of new Data Protection Act to be debated in the National Council
30.08.2019 - Following its discussion of the Federal Council dispatch of 15 September 2017, the National Council’s political institutions committee decided on 16 August 2019 based on the casting vote of its president to remit the draft of the totally revised Data Protection Act to the plenary session of the National Council for debate.
The proposal made to the National Council contains several provisions which, in the version approved by a majority of the committee, would lead to a lower level of data protection for the Swiss population than in neighbouring European countries and to a partial reduction in the level of data protection afforded by the current Data Protection Act of 1992.
In its public debate on 24 and 25 September, the National Council will have the opportunity to compare the respective drafts of the committee’s majority and minority and to decide whether it wishes to improve the level of protection given to the Swiss population and adapt to European standards.
The summary with the requests of the Political Institutions Committee of the National Council for the revision of the Federal Data Protection Act has been published.
Postfinance: no equal treatment for customers under the current law
30.08.2019 - In a letter dated 13 June 2019 in response to an enquiry from the FDPIC, Postfinance AG confirmed that their Swiss customers will still require to register an express objection if they do not wish their identity to be authenticated by voiceprint. In contrast, Postfinance makes authentication by voiceprint for foreign customers subject to their express consent. This unequal treatment, which the FDPIC has publicly criticised, (see the report on SRF’s 10vor10 programme on 20.5.2019) is set to continue.
In its response to the FDPIC, Postfinance AG maintained that this difference in treatment is due to differences in the requirements of Swiss and foreign law, and that the adoption of foreign law to cover domestic circumstances is a political matter reserved to parliament. Postfinance AG will therefore continue to treat Swiss customers differently for as long as Swiss data protection law is not brought in line with EU law.
3rd Update concerning the Libra project
23.08.2019 -The Libra Association sent the first part of the requested documents to the FDPIC on time. Further documents and explanatory information will follow in the coming weeks.
These submissions will serve as a basis for the FDPIC's determination of its competences and the planning of future activities. In due course, the FDPIC will inform the public of the outcome of his examination of competence and of any further steps he may take.
The FDPIC will attend the forthcoming meeting with the U.S. House Committee on Financial Services and personally serve it with this information.
2nd Update concerning the Libra project
06./08.08.2019 - The British and other data protection authorities have published a joint statement demanding more openness from Libra promoters about the project. The FDPIC stays in contact with the European Data Protection Board (EDPB) and the International Conference of Data Protection and Privacy Commissioners (ICDPPC).
The FDPIC is affected as all other Data Protection Authorities (DPAs) by the Libra project and its global network and therefore eager to support the global community of DPAs in their joint efforts to protect the people. The FDPIC thus stays in contact with the EDPB and the ICDPPC.
On the other hand, the FDPIC as the DPA at the Swiss headquarters of the Geneva based Libra Association has to exercise his legal tasks. In this latter role the FDPIC initiated an official proceeding focused on the evaluation of his competence with regard to the Geneva based association, which in the meantime appointed a Swiss law firm and declared its readiness to deliver more detailed information on the project, as requested in the FDPIC’s letter of 17 July 2019. The FDPIC will thus first analyse upon receipt the promised information and assess the extent to which his advisory competences and supervisory powers would apply, before joining any statements or commenting on the Libra project and its network as a whole.
1st Update concerning the Libra project
29.07.2019 - The Libra Association has replied to the FDPIC's letter of 17 July and promised a prompt response to issues raised. It plans to meet the FDPIC in the coming weeks for talks. The FDPIC will issue a press release on the next steps as soon as he has analysed the information received and gained an overview of the current status of the project.
Link to the media release of 23 July 2019
26th Annual Report: Switzerland must maintain its level of data protection
18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act.
Link to the media release
Data Protection Day 2019 - 3 priorities for the Confederation and cantons: elections, police, OASI number
28.01.2019 - Federal and cantonal data protection authorities' press release:
25th Annual Report: Freedom before security
25.06.2018 - Monitoring major digital projects has once again been the focus activity for the FDPIC. The E-ID Act as the basis for using a SwissID, the risk report on using the OASI number as a univer-sal personal identifier or the conditions that must be met by e-ticketing or public transport apps underline this prioritisation. As a supervisory authority, the Commissioner had to intervene to prevent the processing of data on compulsory health insurance and had to deal with data leaks at several large companies. As the Freedom of Information Commissioner, the FDPIC succeeded in achieving a substantial increase in the efficiency of his arbitration procedures and welcomed the National Council’s unanimous commitment to guaranteeing transparency in connection with public procurement – thus ensuring that the principle of freedom of information does not become a farce.
Selection of arbitrators for the Data Protection Arbitration Panel under the Swiss-U.S. Privacy Shield - First call for Interest
Deadline: April 30, 2018
06.04.2018 - According to Swiss law, personal data transmitted to the USA must be subject to an appropriate level of data protection. The Swiss-U.S. Privacy Shield serves this purpose. Thanks to this new legal framework, personal data can be transferred from Switzerland to a company in the USA, provided that the US company complies with a set of data protection rules and safeguards. This protection that is given to personal data applies to everyone who is resident in Switzerland. For this mechanism to become operational, a list up to five arbitrators must be agreed between the Swiss administration and the DOC. In the event of a dispute, the parties may select the arbitral tribunal from the arbitration pool developed under the EU-U.S. Privacy Shield which has been supplemented by the pool developed under the Swiss-U.S. Privacy Shield. The call for interest has been published in the U.S. Federal Register and can be accessed under the following link: https://www.federalregister.gov/documents/2018/04/02/2018-06737/swiss-us-privacy-shield-invitation-for-applications-for-inclusion-on-the-supplemental-list-of
The deadline for applications is April 30, 2018. They must be submitted to David Ritchie at the U.S. Department of Commerce, either by email at email@example.com or by fax at: 202-482-5522.
Dispatch concerning the revision of the Data Protection Act: the FDPIC's general assessment
15.09.2017 - The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.
Guide to the Swiss-US Privacy Shield
22.08.17 - The FDPIC has elaborated a practical brochure to the Swiss-US Privacy Shield. It provides information on the company's obligations and the rights of persons whose data is processed as well as how they can complain.
Swiss-US Privacy Shield Guide (PDF, 171 kB, 06.12.2017)
Transfer of data to the USA
Annual report 2016/2017
26.06.2017 - The Federal Data Protection and Information Commissioner presents his new annual report for the period from 1st of April 2016 to 31st March 2017.
Media release FDPIC annual conference 2017 (PDF, 152 kB, 26.06.2017)
Summary Annual report 2016/2017 (PDF, 35 kB, 26.06.2017)
Last modification 31.01.2020