The rapid development of information and telecommunications technology and the related digitalisation of society have required the Council of Europe and the European Union to further develop their data protection legislation, and have now necessitated the complete revision of the Federal Data Protection Act, which originally came into force in 1993. The draft act prepared by the Federal Council has the aim of increasing the protection of data by improving the transparency of data processing and increasing the options that data subjects have to control their own data. In addition, the revision of the Act should ensure consistency between the level of data protection in Switzerland and that in the EU. Having a level of data protection that is comparable with that in EU states is particularly important for Swiss businesses, especially because the new EU General Data Protection Regulation (EU-GDPR), which comes into force at the end of May 2018, will have a direct effect on many Swiss enterprises.
The FDPIC’s general assessment
The FDPIC is in agreement with the main features of the revision; however, he has certain reservations, primarily because of differences in terminology and content between the revised act and both the EU-GDPR and the revised CETS Convention 108 of the Council of Europe. In the FDPIC’s opinion, many of these differences serve no clear purpose, particularly when they make the legal position of that part of the Swiss economy and administration that must directly apply the EU-GDPR unnecessarily complicated.
The FDPIC regards it as particularly positive that transparency in data processing will be increased by introducing an obligation to provide information for all processing by private individuals and entities that gather data, irrespective of the data’s sensitivity. He also welcomes the introduction of a data protection impact assessment when enterprises or authorities conduct projects that pose a high risk to the privacy or fundamental rights of data subjects. The duty to provide information on the right of access has also been expanded. The FDPIC also welcomes the improvements in self-regulation in the form of codes of conduct that facilitate the activities of controllers and which should improve compliance with the Act. Another positive move is the express mention in the Act of the processing principles of ‘privacy by design’ and ‘privacy by default’. The independence and status of the Commissioner has also been improved. The revised Act provides that the FDPIC, in line with his European counterpart, can investigate controllers and processors on his own initiative or in response to a report, and issue a ruling when the investigation is completed. The FDPIC has noted that the Federal Council has promised him additional resources to implement the new Act.
The remaining differences include the absence of any right to data portability, which would improve the control that users have over their own personal data. Nor does the revised act relieve data subjects of the burden of proof in civil proceedings. The FDPIC would also have liked the new FADP, in line with the EU General Data Protection Regulation, to apply to data processors who are not based in Switzerland but whose data processing has its impact here and affects people resident here. These enterprises should also be required to have a contact in Switzerland to make it easier for data subjects to enforce their rights.
The new Swiss law ought to require companies that are in any case subject to the EU GDPR to employ company data protection officers subject to the same requirements as those of the EU GDPR. The same applies in the case of the codes of conduct. Swiss business associations and sectors should have to submit these to the FDPIC subject to the same requirements as when they submit codes of conduct to the data protection authorities in the EU under the EU-GDPR. The requirement to prepare risk assessments should also apply to enterprises that have appointed a data protection adviser and a certification requirement for data processing that poses exceptional risks should be introduced.
The FDPIC regards the proposed sanctions (a maximum fine of CHF 250,000) as a very weak deterrent when compared with the those in the EU-GDPR (20 million euros or 4 per cent of the annual turnover). Moreover, he fears that in practice they will affect subordinate employees of the miscreant enterprises rather than the enterprises themselves. He also regrets the absence of administrative criminal law sanctions.
Lastly, it should not be the Federal Council but Parliament that approves the FDPIC’s budget, in the same way as it approves the budgets of other independent supervisory authorities, such as the Swiss Federal Audit Office or the supervisory authority for the Federal Intelligence Service.
FDPIC, 15 September 2017