Data Protection Law: Evolution of the Swiss and European Landscape
Data Protection Law: Evolution of the Swiss and European landscape
Regulation (EU) 2016/679 will enter into force on May 24, 2018. Until then, the member states of the EU will have to adapt their legislation in order to allow businesses and individuals to comply with their obligations through the adoption of codes of conduct, certification procedures and surveillance programs. The national data protection authorities will be able to impose fines on corporations of up to 4% of their worldwide annual turnover and to issue joint sanctions. Moreover, the GDPR provides for the creation of a European Data Protection Board, which will supervise the member states’ national authorities and arbitrate any conflicts between them.
In Switzerland, the Federal Council issued its draft of the new Federal Data Protection Act (FDPA) on December 21, 2016. This in line with its "Swiss Digital Strategy" of April 20, 2016 and is the result of an evaluation of the current legislation. This study found (unsurprisingly) that the applicable laws were no longer adapted to the current state of technological evolutions and practices.
The draft was designed around several guiding principles, including in particular:
- Risk based approach. The duties of the controllers of data will be stricter when the risks of violation of the rights and freedoms of the data subjects (individuals) are higher. As an example, a company that regularly processes "sensitive" data (data on health or political opinions, biometric data, etc.) and that regularly delegates the processing of data to sub-contractors ("processors") will be subject to more thorough scrutiny than a company that collects data only occasionally.
- EU adapted terminology. The " file master" of the current FDPA will become the "processor". "Sensitive data" will now extend to biometric and genetic data. The concept of "profiling" specifically addresses the issue of the processing of data to predictive ends (Big Data, Smart Data).
- Improved exchanges of data with foreign countries. The transmission of data to a foreign country will remain subject to the adequate protection principle. However, the level of protection of foreign jurisdictions will not be determined by the controller itself but by the Federal Council directly.
- Better protection of individual rights. The Draft reinforces and clarifies pre-existing rights (the right to obtain personal data from the controller – now freely of charge, the right to correction of personal data, the right to the prohibit of processing, the right to prohibit the transmission of personal data to a third party) and also introduces new rights (the right to be forgotten and the right to order destruction of personal data). The Draft also addresses the issue of rights relating to deceased persons and recognizes their heirs’ right to act.
- Clarified obligations of the controller. The controller must inform the data subject if personal data is being processed and if he or she is susceptible of being involved in data processing by automated means. The controller must also notify the data subject in case of unauthorized processing of his or her data (hacking) or if personal data has been lost or destructed. Lastly, the draft provides that the processing of data must be protected by default (privacy by default) and from its conception (privacy by design).
- Reinforced control and independence of the Federal Data Protection and Information Commissioner (FDPIC). This together with a reinforcement of criminal sanctions and the possibility for criminal prosecution authorities to impose fines of up to CHF 500'000.
However, the Federal Council specifically decided to leave out some concepts or solutions applied in foreign jurisdictions, in particular:
- The protection of data of corporations.
- The power of the FDPIC to adopt binding rules. The Federal Council decided to avoid discussing the issues of legality and the delegation of powers on which this power would rely. Also, the FDPIC will not be able to impose fines (contrary to what the European Parliament envisaged in the GDPR).
- Reversed burden of proof. The Federal Council initially considered placing the burden of proof on the controller in case of litigation by an individual. The controller would have had to demonstrate that he had complied with his legal duties when processing personal data. In the end, the Federal Council considered that Swiss courts already had sufficiently efficient means to appreciate a specific situation and to resolve cases when facing problems with respect to the establishment of evidence.
- Data protection class actions. The principle of class actions, still inexistent under current Swiss law, is now being debated in Parliament. Therefore, it seemed unnecessary to create such a new, distinctive right in data protection.
- Data portability. According to the Federal Council, the right to data portability aims to stimulate competition, not to protect individuals. This seems regrettable, since it was one of the GDPR’s interesting novelties and could have helped citizens to avoid being “stuck” with the same service provider.
- A special dispute resolution regime. It was considered that alternative dispute resolution programs and entities already exist, depending on the industry (in particular in banking and insurance).
The draft is still subject to the Parliament's scrutiny and will probably be modified before its final adoption. In the meantime, it gives clear indications on the predictable evolution of the Swiss and European data protection legal landscape and will force companies to adapt their general terms and conditions, privacy policies and data processing.
Altenburger Ltd legal + tax is ready to assist them.