The protection of personal data is becoming more and more relevant. This is a result of the rapid advancement of communication and sales channels as well as the increasing capacities of companies to collect personal data. The Swiss Parliament seemingly acknowledged this too when it recently announced that it adopted the revised version of the Federal Act on Data Protection (‘FADP’). The revised Act is meant to create more transparency and strengthen the rights of data subjects whose data is processed. This blogpost presents some of its new provisions, drawing comparisons to the GDPR.
The current Swiss Data Protection Act dates back to 1992 which is why the now revised Act is a welcomed and crucial step to match the technological developments with an adequate regulatory framework. It has been somewhat of a bumpy road for the revised act to be adopted with parliament being divided about some of its provisions. In particular, the controversial “profiling” nearly put a stop to the adoption of the act.
What is Profiling and why did it divide parliament?
Profiling relates to an evaluation of an individual by artificial means. Recital 71 of the GDPR defines profiling as “any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the data subject’s performance at work, economic situation, health […] where it produces legal effects concerning him or her or similarly significantly affects him or her”.
The Swiss People’s Party, the Liberals and a large part of the center-based parties did not want to set profiling barriers for the economy. The Social Democratic Party, the Green Party and Green Liberal Party, on the other hand, insisted that the revised law should firstly be compatible with the EU General Data Protection Regulation (‘GDPR’) and secondly respect Switzerland’s current level of protection. The State Council’s compromise proposal now distinguishes between normal profiling and profiling “with high risk”, which requires the consent of the data subject. Companies that collect data and are able to assess “essential aspects of the data subjects” by merging data (profiling), therefore must now comply with more stringent regulations.
What else is new in the FADP?
In contrast to the current Data Protection Act of 1992, the revised act now defines clear sanctions. The new FDAP now provides for fines that could be up to 250.000 CHF and can be enforced by the law enforcement authorities of the Swiss Cantons (Art. 60, Chapter 8, FADP ). The penalty for data protection infringements is therefore substantially lower than in the EU where the fines can be up to 20€ mil. or 4% of the total worldwide annual turnover.
Focus on natural persons
Whilst the old Data Protection Act regulates the protection of data of both natural and legal persons, the newly revised Act is limited to data of natural persons, just like the GDPR (.See Recital 14, GDPR).
Privacy by Design and Privacy by Default
Data protection must already be technically integrated when a data processing activity is being developed (‘privacy by design’) and should also by default be implemented by means of data protection-friendly settings (‘privacy by default’) (.Art.7, Chapter 2, FADP). Also these two principles are laid down in art. 25 of the GDPR.
Reporting of data protection violations
Data controllers must report a data protection violation to the Federal Data Protection and Information Commissioner as soon as possible if there is a high risk to the personality or fundamental rights of the data subject. If necessary, they must also inform the data subjects (Art. 24, Chapter 2 FADP). This is different to the GDPR that provides for a 72h time frame in which data breaches likely to result in a risk to the rights and freedoms of natural persons need to be communicated to the supervisory authority.
Record of processing activities (‘Verzeichnis der Bearbeitungstätigkeiten‘)
Companies with at least 250 employees will have to document all of their processing activities, including the Controllers and the purpose for processing. In contract to the GDPR however, less information has to be provided and there are many exceptions listed in art. 20 of the FADP, such as legally required processing activities, that do not need to be documented.
Enhanced rights of data subjects
Individuals whose data is processed now have the right to the disclosure of their data as well as data portability and the right to access the data (Art. 25, Chapter 4 FADP). Though not quite reaching the extensive data subjects’ rights level under the GPDR, the rights under the FADP are certainly extended.
Adequacy Decision underway?
It can be seen that with regards to some data protection topics, the FADP strives to attain the level of data protection guaranteed under the GDPR.
The EU Commission will now decide whether Switzerland will be issued an EU adequacy decision meaning that Switzerland offers an adequate level of data protection. Due to the new (above stated) provisions, in particular the strengthened rights of data subjects, Switzerland has good prospects of being issued an adequacy decision.
The provisional text of the Revised FADP can be found here.