On 21 December 2016, the Federal Department of Justice and Police published a draft bill of the revised Swiss Federal Data Protection Act (FDPA). The proposed amendments are intended to adapt the existing law so as to align it with old and new developments on the European level, in particular the amendments introduced into European law by the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, replacing Directive 95/46/EC, and the draft protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) of 15/16 June 2016, expected to be adopted by the Council of Europe in early 2017.
1. Geographic scope
The FDPA has already been interpreted by Swiss courts to apply to data processing activities outside of Switzerland that have notable effects in Switzerland (“effects principle”).
The GDPR explicitly extends the geographic reach of EU data protection law by applying EU law to activities of controllers and processors established in the EU even if the processing takes place outside the EU, and to processing activities of controllers and processors not established in the EU that are related to the offering of goods or services to the relevant data subjects in the EU or to the monitoring of the behaviour of individuals taking place within the EU.
2. Substantive scope
According to the draft revised FDPA, the substantive scope shall be limited to data concerning individuals (natural persons) and shall no longer cover personal data of legal entities (corporations). A particularity of Swiss law without counterpart in EU law, it had little practical effects but caused many furrowed brows.
The FDPA’s definition of sensitive personal data shall be extended to biometric and genetic data, in compliance with the GDPR.
3. New terminology
“Profiling” (a dynamic process) shall replace “personality profile” (the static result of data processing activities) and “controller” shall replace “controller of the data file”, to bring the terminology of the FDPA in line with the GDPR. The term “data collection” (Datensammlung, fichier) shall be dropped altogether.
4. Qualification of the consent
The draft revised FDPA adds to the existing consent requirement that the consent must be given “unambiguously”. The consent for the processing of sensitive personal data shall be – in the French and Italian versions – exprès and espresso, thereby making clear that such consent can also be given implicitly by a clear affirmative action, all in line with the GDPR.
Already under the existing FDPA, consent should cover all of the purposes for which the data are being processed, so that a later processing for a purpose originally not recognisable for the data subject is not permitted without new consent, in line with the GDPR.
5. The data subject’s right to information and to be forgotten
The draft revised FDPA aims at strengthening the individual’s rights and increasing transparency. In particular it requires ay federal body and private person to inform the data subject when collecting any category of personal data, not just sensitive personal data.
In compliance with the GDPR, the FDPA shall explicitly regulate the obligation to delete personal data when the original purpose for processing the data no longer justifies their retention, and shall give the data subject an explicit right to have them deleted.
6. Rights in data of the dead
According to the draft revised FDPA, anybody who can show a legitimate interest shall have access to the personal data relating to a deceased person, whereby such legitimate interest is presumed for children, grandchildren or parents of the deceased person or their spouses, registered partners or de facto spouses.
7. Automated individual decision-making
The draft revised FDPA, in compliance with in the GDPR, requires information and consultation when a controller takes a decision solely on the basis of automated data processing without human intervention or evaluation, which produces legal effects for or significantly affects the data subject. Such information and consultation can also be carried out retroactively.
8. Data protection by design and by default
The draft revised FDPA as well as the GDPR provide that the controller shall implement appropriate technical and organizational measures to reduce the risk of violations of personality or fundamental rights and prevent such violations (so-called privacy by design) and for ensuring that, as a standard, only personal data which are necessary for each specific purpose are processed (so-called privacy by default).
9. International data transfer
The FDPA continues to allow the transfer of personal data only to countries with an adequate level of data privacy protection. The Federal Council shall be competent to attest bindingly the adequacy of protection of a specific country. If there is no adequate foreign protection, data may still be transferred on the basis of international treaties (such as ETS 108), individual contractual agreements previously notified to the Commissioner, approved standardised safeguards, or approved internal data protection regulations that apply to all of the transferring and receiving entities.
10. Extended duties and powers of the Commissioner
According to the draft revised FDPA, the commissioner’s powers to supervise compliance with the FDPA shall be extended to all private persons and shall not be limited to specific cases. The commissioner also shall be enabled to render administrative decisions binding for the parties, but he or she shall still not have the power to impose fines and other penalties. Also under EU law, the supervisory authority is given broader responsibilities.
11. Administrative fines and penalties
According to the draft revised FDPA, the penal provisions shall be extended. This shall be in compliance with the GDPR with the exception that the supervisory authority has the investigative power to impose administrative fines and that it is up to the member states to lay down the rules on other penalties applicable to infringement of the GDPR. The maximum amount of fines is increased to CHF 500,000, and violations of the duty of professional confidentiality may be sanctioned with imprisonment of up to three years or a monetary penalty of up to CHF 1,080,000. In the case of violations committed within a business undertaking, the law enforcement authorities may either prosecute the responsible persons or instead condemn the company to pay the fine.