At the end of 2016, the Federal Council put the preliminary draft revision of the Federal Data Protection Act (DPA) up for review. Although the majority of Swiss companies are not very exposed, 45% of them must take a serious interest in it in order to comply… And with the current European directives, the stakes are high for the Federation’s economy and its image as Europe’s digital safe.
Is your Company Concerned?
The Regulatory Impact Analysis (RIA) identified three types of Swiss companies, based on their exposure to the DPA.
Segment A is the least exposed and broadest, representing about 55% of companies. It brings together small local businesses with no activities abroad, such as a butcher’s shop. Bringing these companies into compliance, although necessary, does not require much action.
Segment B is made up of medium-size companies that process customer data using Web or Cloud technologies, sometimes abroad. It is in this segment that most of the compliance efforts will need to be done.
Segment C represents a niche: companies whose core business is data processing, such as “Big Data” organisations or Cloud providers. These highly exposed companies are, in general, very reactive about compliance, without which their entire business could be at risk.
However, regardless of the segment, all businesses in the Confederation must study the new bill and update the way they operate.
Why Revise the Law?
The Federal Data Protection Act came into force on July 1, 1993. Since then, the technological and societal landscape has changed, and this law is no longer effective in protecting people. For this reason, a re-evaluation was launched in 2010 to update the DPA and improve its effectiveness. Other laws are indirectly impacted and will be amended to be consistent with the new regulations.
In particular, the revision of the law aims first and foremost to improve the transparency of the processing and control of Swiss citizens’ data and to facilitate the exercise of their rights. It also makes data controllers responsible for processing and reinforces the monitoring of compliance with the implemented provisions.
This project is timely, since it coincides with the new European directives. Since Switzerland is part of the Schengen agreement, it has to follow the legal provisions of (EU) directive 2016/680. The latter, concerning the protection of individuals with regard to the processing of personal data for criminal purposes, is indeed a “development of the Schengen Act”.
But the need for compliance is not only political. Indeed, in order to be able to process the personal data of European nationals, the Confederation must provide a level of protection equivalent to the level imposed by the EU. Switzerland already has a ruling from the European Commission stating that it must guarantee an adequate level of data protection. Thus, the purpose of the DPA is to move closer to the (EU) Directive 2016/679 in order to comply with this ruling and to allow Swiss companies to maintain data exchange, and thus economic exchange, with the countries of the Union.
Which Personal Data are Involved?
The preliminary draft abolishes data protection for legal entities, apart from copyright, protection of personality and unfair competition. In this respect, it complies with the majority of national directives in European countries, and facilitates data exchange with them.
The duty to provide information is extended to all processing in the private sector. “Sensitive data” now includes genetic and biometric data that uniquely identifies an individual.
A Change of Approach Towards Homogenisation
The revision of the Federal Data Protection Act makes it possible to ensure that it is more sustainable than before. For example, it benefits from a neutrality that allows it to be applied to any technology, so as not to hinder innovation.
The Federal Council also took the opportunity to adopt terminology that is compatible with European law, for better understanding and for simplified future adaptation. For example, the Swiss “file master” becomes the “controller”, a term used by European directives.
But above all, the preliminary project changes its approach. Like international standards such as ISO 27001, it is based on the potential risk to people. For example, companies whose business presents a higher risk to the data being processed (for example, a database sales company) will have more obligations imposed on them than a company presenting a lower risk (for example, a company operating with a customer database).
A human impact on both sides of the screen
The persons in question (owners of the data) benefit from enhanced rights. In particular, the preliminary draft redefines the notion of consent. Individuals are better informed about their data, their processing and the use thereof (on which they can, in some cases, give their opinion), and about the controller.
At the same time, the list of their obligations is getting longer! Beyond information constraints, the controller must, in certain cases, analyse the risks related to data processing and act accordingly. The preliminary project also offers this person certain technical measures for system parameterisation for better protection. Finally, the person responsible is obliged to inform the Federal Data Protection and Information Commissioner in the event of unauthorised processing or loss of data.
On the other hand, they are relieved of certain tasks, such as deciding whether a state outside Switzerland offers a sufficient level of protection to allow for data exchange. This mission is entrusted to the Federal Council. The draft also proposes alternative options which allow for the continued transfer of data under sub-optimal conditions.
The preliminary draft makes the controller responsible in a rather direct way. In case of non-compliance with the law, a fine of up to 500,000 Swiss francs may be imposed on them. And only in specific cases can this be transferred to their company.
This sum, more significant than before, is part of the dissuasive measures proposed by the Federal Council. The penal consequences, in case of violation, are thus reinforced. This allows the Attendant to take on a more important role, as they cannot impose administrative sanctions. The preliminary draft also allows for binding decisions on the controller and the launching of investigations if necessary.