The revision of the Swiss Data Protection Act (DPA): new developments and perspectives.

The revision of the Swiss Data Protection Act (DPA): new developments and perspectives.

The new information and communication technologies play a relevant role in the social systems involved, which are often extremely interconnected. It is therefore imperative to understand the structure of the society in which we live and how dependent or interdependent it is on technology.

Technological progress pushes the legal world to a continuous and careful review. This tension in Europe, within the Data Protection & Privacy theme, peaked with the entry into force of the General Data Protection Regulation (GDPR) on May 24, 2016, and implemented two years later on May 25, 2018. In Switzerland, on the other hand, it saw the birth of the draft revision of the Federal Data Protection Act (DPA) on September 25, 2020, after a legislative process of almost four years. The new DPA (whose entry into force, however, is spoken of in 2022, because the implementing rules are lacking for now) is more in line with the regulations on the subject coming from the EU and has paved the way for Switzerland to apply to the European Commission for recognition of adequacy.

The primary aim is to strengthen data protection by increasing the transparency of processing and the opportunities for data subjects to control data about them.
A statement from Bern to the media in 2016 noted, “The revision creates the prerequisites for the ratification of the Council of Europe Convention on Data Protection and the transposition of the EU Data Protection Directive.” The revision, therefore, aims to modernize the Swiss data protection landscape and bring it in line with the more sophisticated EU legislation.
Let’s look in more detail at the key elements of the changes that tell the story of the goal the federal government is heading towards:

    • The fundamental risk-based approach: if an activity poses significant risks to personal data it will be subject to stricter protection obligations
    • All technologies, including future ones, are considered in the regulatory act
    • The search for compatibility with European law
    • Improvement of cross-border data transmission so that Switzerland can be an appropriate partner
    • The protection of the data subject and his or her control constitute the pinnacle of the regulatory framework

The primary aim is to strengthen data protection by increasing the transparency of processing and the opportunities for data subjects to control data about them.
A statement from Bern to the media in 2016 noted, “The revision creates the prerequisites for the ratification of the Council of Europe Convention on Data Protection and the transposition of the EU Data Protection Directive.” The revision, therefore, aims to modernize the Swiss data protection landscape and bring it in line with the more sophisticated EU legislation.
Let’s look in more detail at the key elements of the changes that tell the story of the goal the federal government is heading towards:

    • The fundamental risk-based approach: if an activity poses significant risks to personal data it will be subject to stricter protection obligations
    • All technologies, including future ones, are considered in the regulatory act
    • The search for compatibility with European law
    • Improvement of cross-border data transmission so that Switzerland can be an appropriate partner
    • The protection of the data subject and his or her control constitute the pinnacle of the regulatory framework

Let us therefore try to make a brief excursus on the main innovations approved by the Federal Chambers, on which the debate remains open and fruitful. We will dwell on those that are particularly relevant and have the greatest impact:

    1. The new categorization of personal data, especially those identified as sensitive. It is those data that require special protection, the category has been extended to data on ethnicity, genetics and biometric data that allow the clear identification of a natural person;
    2. The introduction of the concept of “high risk profiling“. Let’s make an example: it is the kind of profiling that happen when we are exposed to behavioral advertising, like when we see an advertising poster on a website related to a service that we previously searched for: therefore it is an automated treatment of personal data. Profiling, on the other hand, is high risk when there is a targeted analysis towards a specific subject. This profiling is therefore highlighted, underlined at a legal level and individualized as follows: ” any processing of data or personal data intended to analyze or predict the essential personal characteristics of a person, notably the professional performance, economic situation, health, intimate sphere or movements“. In this case, the notion adopted corresponds to the legal definition made in the European GDPR. In addition, the prospect of data subject consent was at first an open door, it was sought to understand whether or not consent could be a discriminator to the use of profiling in this sense: it seems not, and profiling (for now) should be allowed without consent;
    3. the option for organizations to appoint a Data Protection Officer, who will act as a contact person both for the data subjects and for the authorities (including the FDPIC – Federal Data Protection and Information Commissioner);
  1. Obligation to notify the FDPIC of any “data breach” and with greater precision when the breach entails a high risk for the fundamental rights and freedoms of the data subjects and, in certain cases, an obligation to notify the data subjects of the breach has also been included;
  2. The importance of conducting a data protection impact assessment where processing poses a high risk to the rights and freedoms of data subjects. This is a particularly sensitive issue that requires careful consideration by the companies involved. In particular, new transparency and documentation requirements will be imposed, as well as specific risk-related processing activities.
    A few examples:

    • Preparation of an inventory of processing activities, unless the exception of small and medium-sized enterprises (art. 12) applies;
    • drafting or updating of privacy notices for the interested parties in order to fulfill the obligation of information when collecting personal data (art. 19 and ss.);
    • revise the contracts with persons in charge of the treatment, joint holders of the treatment, and third parties, (eg art. 9 and 16 et seq.);
    • perform a data protection impact assessment where processing is likely to pose a high risk to the rights and freedoms of data subjects, potentially including all “high-risk profiling” (Art. 22) (see point 2 of this list);
      As noted, companies are encouraged to use the time until the DPA comes into force to update their mechanisms and assess the impact on their operations, and begin to implement or devise processes that will conform to ongoing developments on Data Protection & Privacy.
  3. Another fundamental aspect, but not the last one to be considered, is the assignment to the FDPIC of powers of inspection, access to places, and documents belonging to the company in order to carry out the necessary investigations. In the event of a violation of the law, emphasis is placed on the possible use of the instrument of fines of up to CHF 250,000. We would like to point out that the revision of the Data Protection Act in Switzerland tightens up the criminal provisions on data protection, especially since, unlike its European counterparts, the Data Protection and Information Commissioner cannot impose administrative sanctions. Furthermore, it was expressed during the legislative process that the criminal sanctions are primarily aimed at managers and not at employees who, in the course of their work, are in contact with data subject to protection. At the same time, however, it has not been entirely ruled out that there may be cases in which the sanction may also be imposed on employees without managerial functions. However, in the case of offenses for which a fine of CHF 50,000.00 is considered, but the effort to identify the offender within the company would be disproportionate, the company may be ordered to pay the fine instead of the individual who committed the offence. Point that remains open to legislative developments.

However, until the effective date is announced, it remains necessary and imperative for companies to equip themselves with professionals capable of accompanying them in the implementation of the required compliance projects.

Sources: