On 15 September 2017, the Federal Council published the draft and the dispatch regarding the new Data Protection Act (DPA). The consultation process regarding the preliminary draft had led to much criticism, in particular with regard to an extensive "Swiss Finish" compared to the requirements of the EU General Data Protection Regulation (GDPR). The draft now takes a more risk-based and technology-neutral approach. In terms of content, the draft is closer to the GDPR and the current DPA than the preliminary draft (cf. the Schellenberg Wittmer Newsletter of March 2017).
This news alert aims to shed light on some relevant aspects and differences from the preliminary draft, without claiming to be exhaustive.
The most important changes compared to the preliminary draft
In the preliminary draft, the comprehensive, however not clearly defined documentation duty faced strong criticism. The documentation duty has now been replaced by the duty of the controller and the processor to keep a register of processing activities. The Federal Council can exempt companies with fewer than 50 employees from keeping such register, provided that their activities entail a low data protection risk. This would in particular relieve non-digital SMEs of administrative burden.
The obligation of the controller to carry out a comprehensive privacy impact assessment and to submit it to the Commissioner (Federal Data Protection and Information Commissioner) has also been mitigated. The controllers will only be required to carry out a privacy impact assessment if there is a "high risk" to the personality or fundamental rights of the data subjects; this threshold corresponds to the one set in the GDPR. In the case of certified data processing or data processing based on codes of conduct (see below), a privacy impact assessment may be omitted. The controller is also exempted from the obligation to consult the Commissioner if he instead consults with the in-house data protection advisor (re-introduced in the draft DPA). These amendments promise to reduce the paralysing and costly burden of privacy impact assessments criticised in the consultation process.
Regarding cross border data transfers, the data exporter is no longer required to carry out a separate assessment if the Federal Council has passed an appropriateness decision regarding the destination country. In such cases, the export of personal data from Switzerland to the destination country is considered permissible without further verification by the controller. It will suffice to consult the list of countries considered to offer adequate data protection. Also, the duty to notify the Commissioner has been toned down; in particular, a notification is no longer required if standard data protection clauses are used that have been approved by the Commissioner. If other data protection clauses are used, it is no longer necessary to have them approved as is currently the case under the DPA.
In order to promote self-regulation, the concept of codes of conduct (best practice) has been introduced specifying, for example, the "high risk", the information duty or the obligation to carry out privacy impact assessments. Unlike in the preliminary draft, only professional and trade associations, authorised to protect the economic interests of their members in accordance with their statutes, shall be allowed to define such codes of conduct. In contrast to the GDPR and the preliminary draft, the Commissioner will only be able to publish a statement on such Codes of Conduct; it will not be necessary to have them approved by the Commissioner. The statement of the Commissioner will not be legally binding.
Processors will face fewer obligations than in the preliminary draft. In addition to being exempted from carrying out privacy impact assessments, they will not have to implement the principles of privacy by design or privacy by default nor provide information to the data subjects, even if the controller is unknown or located outside Switzerland.
The maximum penalty for violations of the DPA has been cut in half to CHF 250,000 and the list of violations subject to penalty has been reduced as well. Negligence is no longer subject to penalty. The penalties still affect primarily natural persons. The employer may be ordered to pay fines of up to CHF 50,000 in lieu of the employee if the identification of such employee would lead to disproportionate investigation efforts. In contrast to its counterpart under the GDPR, the Commissioner will not have the competence to impose administrative sanctions. Although the penalties have been reduced as a whole compared to the preliminary draft, the fact that the sanctions system per se remains unchanged (criminalisation of the natural person instead of administrative sanctions for companies) is somewhat of a drawback of the draft.
First conclusions and outlook
The critical voices raised in the consultation process have not remained unheard. The draft is now more aligned with the GDPR as well as with the current DPA than the preliminary draft was. The idea of a "Swiss Finish" has been abandoned to great extent and many administrative hurdles have been removed. The draft will ensure that Switzerland will, from an EU perspective, continue to offer adequate data protection - without creating excessive obstacles for companies domiciled or operating in Switzerland.
The draft will be discussed in the parliament in the winter session of 2017 and possibly in the spring session of 2018. Most likely, it will be passed by parliament at the end of the spring session 2018 which will trigger the three-month referendum period. All in all, the revised DPA (and the corresponding ordinance) cannot be expected to enter into force before the summer of 2018.