Jürg Schneider is a partner at Walder Wyss and head of its Lausanne office. His practice areas include information technology, data protection and outsourcing. He regularly advises both Swiss and international firms on comprehensive licensing, development, system integration and global outsourcing projects. He has deep and extensive experience in the fields of data protection, information security and e-commerce, with a focus on transborder and international contexts. He frequently publishes and lectures in his areas of focus.
David Vasella is a partner and co-head of the regulated markets, competition, tech and IP team. He advises Swiss and international clients on a wide range of IT and data protection matters, including compliance implementation projects, and provides clear and actionable advice on issues such as data protection, data monetisation, analytics, secrecy obligations, cloud outsourcing arrangements and advertising law. He frequently publishes and lectures in his areas of focus.
Hugh Reeves is a managing associate in the regulated markets, competition, tech and IP team. He advises clients in matters of technology transactions, commercial contracts, telecommunications, intellectual property and digitalisation. He is active in the areas of data protection as well as e-commerce and assists clients with their entry or expansion in the Swiss market.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Cybersecurity is a hot topic in Switzerland. Although the number of cyberattacks is consistently growing each year, many commentators have highlighted the fact that companies incorporated in Switzerland as well as public bodies tend to underestimate or mismanage – either through a lack of clear information or of proper legal incentives – the risks posed by cybersecurity. As a result, these organisations are not sufficiently prepared to combat and withstand cyberthreats.
In light of the above, the Swiss government has been putting some effort in recent years in raising awareness among the industry and helping organisations in moving towards better cybersecurity preparedness.
At first, the Federal Council (the federal executive body) adopted a national strategy for the protection of Switzerland against cyber risks (NCS). This strategy was set up to implement a variety of measures in order to improve cybersecurity awareness and preparedness, one of them being the creation of a centralised cybersecurity body at the federal level, the National Cyber Security Centre (NCSC). This new organisation aims to create a nationwide response to cyberthreats and serves as a unified contact point for the industry.
On another level, the Swiss parliament adopted a new Federal Act on Data Protection (FADP) on 25 September 2020. This new law will enter into force on 1 September 2023. In many areas, the revised FADP has been aligned with the provisions of the General Data Protection Regulation (GDPR) applicable in the EU. However, the Swiss law does often not go into the same level as detail as its EU counterpart. Nevertheless, the revised FADP does contain its own material specificities, not the least of which is the existence of sanctions for individuals (ie, not the legal entity itself) in the event of violations of the data protection provisions. It should, however, be borne in mind that many companies active in Switzerland also fall under the scope of the GDPR, because of the orientation of their activity towards the European Economic Area (EEA).
In addition, the Federal Council suggested, in December 2020, to introduce a breach notification obligation in cases of cybersecurity incidents affecting critical infrastructure on the grounds that perpetrators of cyberattacks often use similar methods and patterns for critical infrastructure in different sectors. This breach notification obligation could thus significantly enhance the cyber resilience of critical infrastructure by quickly identifying attack methods and transmitting corresponding alerts. To date, the project has not yet materialised. However, in January 2022, the Federal Council published an explanatory report and initiated the legislative process (consultation). The consultation process ended in mid-April 2022 and should result in the adoption of a cyberattack information duty upon operators of critical infrastructure.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
Under general Swiss data protection law, there is currently no provision implementing a duty to report data breaches to an administrative body or to the data subjects themselves.
However, some commentators argue that controllers are under an obligation to do so pursuant to the principles of good faith and transparency. In addition, many controllers are bound by contractual provisions that may call for the controller’s disclosure of (certain) data breaches. Furthermore, some would argue that there is a public reporting duty, based on the principles of good faith and transparency, if an individual notification to each data subject appears unfeasible or unreasonable.
This situation will change as of 1 September 2023. According to the new FADP, the controller of the data will be required to inform the Federal Data Protection and Information Commissioner (FDPIC) – the Swiss data protection authority – of any data security breach that could potentially result in a high risk to the personality rights of the data subjects. To this extent, Swiss law is expected to be somewhat more lenient than EU law, as the threshold for informing the FDPIC will be higher (‘high risk’ v. ‘risk’).
The notification will have to indicate at least the nature of the data security breach, its consequences and the measures taken or planned. The notification will have to be made as soon as possible, depending on the circumstances of the case. As a general principle, we believe that the notification period should depend on the damaging consequences of the leak. The greater the potential harm, the sooner the notification of the beach.
Furthermore, the controller must also inform the data subjects, when necessary for their protection or if specifically required by the FDPIC. This information can be restricted, postponed or waived under certain circumstances, for example, if there is a legal duty to maintain a secret, if the information is impossible to provide or requires disproportionate efforts or if the information of the data subject can be guaranteed in an equivalent manner by public disclosure.
It is important to note that the data processor will also have an obligation to notify the controller of any data security breach as soon as possible under the new law.
Under the new law, individuals who intentionally breach certain provisions of the FADP will face a criminal fine of up to 250,000 Swiss francs. This is significantly
higher than under applicable law, where breaches of the FADP can be sanctioned with a maximum fine of 10,000 Swiss francs – and only under certain restrictive circumstances. However, failure to report a data breach incident does not directly fall under the scope of these criminal sanctions. Accordingly, there will be no criminal prosecution for a reporting duty breach under the revised FADP, though a sanction can be levied if it appears that the minimum data security requirements were not in place.
Furthermore, the FADP states that if an organisation notifies a data breach in accordance with its obligation pursuant to the new law, this notification may not be used in criminal proceedings against the person obliged to notify without its consent. The protection of the data controller is thus reinforced. This provision intends to encourage organisations to report any data security breach in compliance with the law, without having to fear for a conviction in a subsequent criminal proceeding.
Despite the absence of any criminal sanctions, an organisation failing to report a data security breach may expose itself to a serious reputational harm if the information goes public through other channels. Therefore, organisations would generally be well advised to strictly adhere to the legal framework, which they should interpret in a prudent (ie, expansive) manner.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
The main issues can be subdivided into four chronological phases that a company has to go through when suffering a data security incident.
First, organisations must determine the exact cause of the cybersecurity incident. It is very important to know whether the incident is due to a technical issue or if the company was subject to a cyberattack. This will then allow the organisation to take adequate measures to remedy the data security incident (internally or with involved third parties such as storage providers). Once the cause of the incident has been identified, the organisation should also be able to assess whether the incident is over or whether it is still ongoing, as may be the case if an ill-intentioned actor revealed a backdoor in the company’s IT systems and shared those revelations with third parties.
Second, but in parallel, organisations must determine the exact impact of the cybersecurity incident. Importantly, organisations must know as quickly as possible whether data was potentially stolen, disclosed or lost. If so, the exact scope of the data incident must be clarified, particularly if personal data or confidential information affecting contractual partners are impacted.
Third, under the revised FADP, if it appears that personal data or confidential information was impacted by the incident, the company’s management or another designated person within the company must determine whether there is a high risk that the personality rights of the data subjects may be violated. More often than not, this will be the case at this stage, as it is rather difficult to categorically exclude the infringement of personality rights of data subjects. It should also be borne in mind that organisations are required to make a quick decision in this situation, which should lead them to admit the existence of such a risk, except in few rare cases.
Fourth, still under the new law, if there is a high risk for the personality rights of the data subjects, the company’s management or another designated person within the company must decide whether or not the company should notify the data breach to the FDPIC or the data subjects themselves. Regarding the factors and risks to be considered in this respect, reference is made to the developments in question 2.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
An initial step is to assess the level of compliance with the GDPR. Many Swiss-based companies already fall under the scope of the GDPR, given the latter’s extraterritorial scope of applicability. These businesses therefore need to aim for GDPR compliance. As a result, companies in Switzerland had to bolster their data security and adopt mechanisms to prevent data breaches in accordance with the requirements under the GDPR. That said, those organisations that already comply with EU law will largely be prepared under the revised FADP as well.
Nevertheless, some adjustments may be necessary to meet the specific requirements of the revised FADP. For instance, businesses would be well-advised to perform an audit of the existing internal data protection processes or perform a specific risk assessment. This could give rise to a need to review and enhance processes, practices, documentation, contracts, policies and notices, and a need to establish new ones.
Companies should however not only focus on adopting measures to prevent the risk of cyberattacks, but also on developing internal regulations as to how to react to a data breach. Proper management of a cybersecurity crisis is more effective if organisations have clear guidelines in terms of competences and procedures. The individuals in charge must me able to follow a straightforward procedure to determine the cause of the data breach as quickly as possible and to determine whether data has been impacted or not. This gives companies a vital safety belt in a time where fast thinking and swift decisions are key.
In any event, organisations must assess on a case-by-case basis the extent to which their data protection processes need to be adjusted. Swiss companies that do not fall under the scope of the GDPR and have not implemented any changes thereunder will likely need to put in additional effort towards compliance with the revised FADP.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
The use of cloud services is widely accepted in Switzerland and is often a better choice in terms of data security in comparison with an internal IT storage set-up. This is because third-party cloud providers need to be constantly up to date with the latest technological evolutions to achieve adequate data security. To that extent, they can be seen as specialists in their field of expertise. In addition, cloud providers often have deep and extensive experience in the hosting area. Therefore, transferring data to a reputable cloud hosting environment is often seen as a best practice in terms of data security.
One talked about topic is the relevance of certifications when it comes to choosing between different cloud hosting services. Swiss law imposes a general obligation on cloud providers to ensure adequate data security. For that purpose, many cloud service providers have sought to obtain data security and cybersecurity certifications, aiming to reassure potential clients that their data is in good hands. That said, certifications should still be seen mostly as a form of guidance rather than any exhaustive guarantee as to service quality. In any event, clients should also choose a cloud provider considering other factors, such as business continuity, key performance indicators and adequate support level.
On the other hand, privacy becomes a serious issue when transferring data to a cloud hosting environment, especially if the provider is located abroad in a country that is not deemed to have an adequate level of data protection in its own legal landscape. The country in which the hosting (or data access) occurs will inform any additional steps, such as conducting a data transfer impact assessment and safeguards, the parties will need to take. Failure to take these measures could qualify as a breach of the Swiss data protection legislation.
As a result, in a cloud services scenario, the parties may have to conduct a data protection impact assessment and implement additional safeguards in cases of cross-border disclosure or storage of personal data. One way to compensate for the lower level of data protection is to incorporate contractual clauses, especially the ‘Standard Contractual Clauses of the European Commission’, adapted to Switzerland.
In summary, the reliance on an external cloud hosting environment is, for the data controller, very much a balancing act between the numerous technical advantages, on the one hand, and the need for a correct legal assessment and set-up on the other.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
As mentioned in question 1, the Swiss government adopted the NCS and set up the NCSC. This has primarily helped to achieve awareness among the various actors of the market regarding the risks posed by cyberattacks.
On 18 May 2022, the Federal Council took note of the report on the effectiveness assessment of the NCS and decided to create a further 25 positions in the area of protection against cyber risks. It also decided to turn the NCSC into a federal office and instructed the Federal Department of Finance (FDF) to prepare proposals by the end of 2022 regarding how the office should be structured and which department it should be part of. This demonstrates a firm intention to further strengthen the nationwide response to cybersecurity threats and criminal activity.
Moreover, the Swiss Federal Council initiated steps towards adopting policies and regulations concerning the specific topic of cybersecurity. This represents a break from the past, as cybersecurity was traditionally addressed as a subtopic of data protection and data security. The recent developments have shown that cybersecurity is now a focus for the Swiss government.
Despite the above, the Swiss legislative process is comparatively slow. For this reason, the current discussions surrounding cybersecurity are not expected to lead, in the short term, to the adoption of an overarching legislative act on cybersecurity standards.
Nonetheless, the absence of clear cybersecurity standards on the legislative level has paved the way for some public-private organisations to contribute to the development of a response against cyberthreats in Switzerland. For example, a private–public initiative was created under the name ‘Trust Valley’. This project aims to further enhance Switzerland’s position as a hub for matters of digital trust and cybersecurity. On another level, the DiploFoundation, the Federal Department of Foreign Affairs (FDFA) and the Federal Office of Communications joined forces to create the Geneva Internet Platform, a discussion centre for digital policy matters, including those pertaining to cybersecurity.
In addition, cybersecurity has also become a favoured topic for higher education institutions, which often have specialised centres focusing on this manner. This is, for instance, the case for the Swiss Federal Institute of Technology in Zurich (ETH), which opened a Center for Security Studies. A similar study path was launched at the Swiss Federal Institute of Technology in Lausanne (EPFL), resulting in the setting-up of the Center for Digital Trust (also known under the moniker C4DT).
Furthermore, the ETH and the EPFL have joined forces with the national defence in creating the ‘Cyber-Defense Campus’ under federal direction, which brings together governmental, academic, and industrial actors to reflect on cybersecurity in the context of national defence.
The above-mentioned initiatives show that Switzerland is committed to promoting a solid response towards cyberthreats.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
M&A deals are truly multifaceted as they involve many legal considerations. We can highlight the following.
From the selling company’s perspective (ie, the company that should be acquired at the end of the deal) it must be kept in mind that, in the near or medium future, its data will often be stored with the acquiring company’s data (meaning on common servers or with a common provider). The buyer will rarely be interested in relying on separate IT systems or on separate hosting providers, because doing so would not only increase costs, but would complicate the management of the IT systems and data storage. Even in the case of fully separated data storage, the acquiring company will usually and eventually have the right to access all the selling company’s data, by simple virtue of being the owner or majority shareholder of the selling company. This is true in particular in the case of ‘share deals’. In the case of ‘asset deals’ where there is no change of hands of the shares and the rights attached thereto, the situation can be comparable – or even more drastic – as the transferred assets may include data sets. The selling company will also need toensure that it may disclose certain information, such as employee names, during the due diligence process leading up to the M&A deal, as failing to do so could give rise to liability in particular under data protection law.
Though the concerns raised above are often harmless in practice, such deals could have a negative impact, at least to the reputation, for a selling company that built its reputation, for instance, on outstanding data security or on storage solely in a given jurisdiction (as is frequently the case). The selling company should therefore carefully consider this point and determine if it wishes to risk its hard-earned market reputation.
From the buyer’s perspective, data security issues are a hot topic. A data breach could involve the loss of valuable trade secrets, such as secret recipes, client lists, production methods and so forth. Moreover, the reputational harm frequently associated with (publicised) data breaches not only risks spreading to the buyer but also may reduce the market value of the selling company’s trademarks as well as its market valuation. As an example, publicly traded companies tend to experience a noticeable dip on the stock market if they suffer a cybersecurity event. Also, under the GDPR, data breaches may lead to high fines. As these fines are calculated on the entire group turnover, acquiring a company that is still breaching data protection rules could have an even higher financial impact. For this reason, conducting an extensive privacy and data security due diligence is of essence in any M&A deal.
Of course, data protection in general is an important topic as well, because the buyer will want to ensure that it can use the data for its business after the deal. This would be difficult or even impossible if the data was not lawfully collected, for instance.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Cybersecurity is very much an area where experience is necessary. That said, clients should ultimately base their choice on personal preference. When dealing with cybersecurity, a lot of the underlying information is highly sensitive, and the client–attorney relationship will need to rely on the highest level of trust in order for it to bear fruit.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
First, the relevant technologies are evolving very rapidly. We enjoy following technological evolutions and catching a glimpse of tomorrow’s technologies. Second, we are frequently dealing with international matters. This multinational context is rife with complexities but is, for that very reason, a real pleasure to work with.
How is the privacy landscape changing in your jurisdiction?
A fully revised data protection act was adopted by Parliament in September 2020, and this piece of legislation is expected to come into force on 1 September 2023. This new law is going to bring closer alignment to the EU’s GDPR. We are also following with a lot of interest the public dialogue around privacy. These are reflected in the discussions surrounding telecommunications surveillance, which often boils down to strong privacy prerogatives versus governmental access to personal information for security purposes.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Ransomware and attacks aiming at the theft of trade secrets are two types of incidents that require constant and high awareness. That said, companies need to evaluate their cybersecurity worst case scenario individually. Even though companies can evaluate cyber risks on a general level, they are also right to keep in mind that their situation is always unique and requires a tailored approach.