Data Protection Act submission is accepted by the Political Institutions Committees of the Council of States. However, the Commission also requests the Council of States to tighten up the provisions of the EU adequacy decision.
On 20 November 2019, thePolitical Institutions Committees (PIC) of the Council of States concluded the preliminary consultation on the draft of the Data Protection Act and unanimously adopted the bill in the overall vote. The Council of States will thus discuss the matter in its winter session from 2 to 20 December 2019.
The PIC aims to bring Swiss data protection law into line with EU law and requests its Council to deviate from the decisions of the National Council on several points, in particular where the version adopted by the National Council represents a step backwards from the applicable law or a lower level of protection than EU law.
The PIC applies for the following tightening of the Data Protection Act:
- Trade union views or activities should be considered as sensitive personal data;
- Abolition of the exemption from the duty to provide information in the event of disproportionate effort;
- The information to be provided in order to exercise the right to information is not exhaustive;
- Deliberate non-compliance with data security requirements will be punishable by criminal law;
- “High risk profiling” as an independent term with an increased level of protection;
- Higher level of data protection in the case of credit checks;
- Journalistic research covered by justification for data processing.
Thus, the PIC decided to include data on trade union views or activities in the list of particularly sensitive personal data again and in accordance with EU law.
The PIC has also decided to lift the exemption from the duty to provide information in the event of disproportionate effort, which was decided by the National Council.
Contrary to the decision of the National Council, the Commission also refrains from conclusively listing the information to be provided when exercising the right to information.
The PIC then requests that the intentional non-compliance with the requirements for data security be sanctioned under criminal law.
In order to increase the level of protection under Swiss data protection law, the SPK-SR further requests that the term “high-risk profiling” be included in the Data Protection Act and that increased protection be provided if data processing falls under this category.
In addition, the PIC is of the opinion that the rights of persons undergoing a credit assessment must be better protected. For this reason, the SPK-SR has unanimously restricted the processing of data older than five years or relating to minors.
The PIC also addressed the concerns of the media companies by enabling the media to justify data processing that infringes personal rights under data protection law even if this data was collected and stored with a view to publication but was not published.
Finally, the PIC has followed the National Council’s lead regarding the simplifications from which companies can benefit if they appoint a data protection advisor. According to the Commission’s media release, self-regulation and the sense of responsibility of companies can thus be strengthened.