On September 15 2017 the Federal Council issued a draft of the revised Federal Data Protection Act. This draft arrives approximately nine months after the publication of the preliminary draft, which was issued on December 21 2016, and marks yet another decisive step towards the overhaul of the Swiss data protection landscape.
The draft act, the explanatory report of the Federal Council and the summary of the results of the consultation process are available in German, French and Italian on the Swiss Confederation website.(1)
The act's revision is an ongoing process intended to modernise Switzerland's data protection landscape and align it with revised EU legislation.
Some key novelties of the draft act include the following:
- Transparency in data processing has increased. In particular, private sector actors must inform data subjects in the event of data collection and processing.
- Self-regulation will be encouraged. Professional and business associations may prepare codes of conduct and submit them to the federal data protection and information commissioner for an opinion.
- The data controller must perform an impact assessment whenever it appears that envisaged data processing may lead to an increased risk regarding the data subjects' personality and fundamental rights, although some exceptions apply.
- A duty to notify the commissioner or even the data subjects in cases of breach of data protection will bind data controllers.
- The present rules on personality profiles will be abolished and replaced by new rules on profiling.
- The draft act introduces privacy by design and privacy by default. Hence, data protection must take place from the outset (ie, from the conception of the processing) and the least invasive settings must be applied by default.
- The duty to declare the file to the commissioner will be abolished for private actors. However, data controllers and data processors must keep a register of their processing activities.
- Protection for data specifically pertaining to legal entities will be removed from the act.
- The commissioner will obtain greater powers and be able to render binding decisions on data controllers and processors.
- Criminal penalties for data protection misconduct will be increased significantly. Fines of up to Sfr250,000 may be levied in case of intentional offences against certain provisions of the revised act.
- Various amendments to other laws will be implemented alongside the revision. This will particularly affect the Federal Penal Code, the Federal Code of Penal Procedure and the Federal Code on Civil Procedure. Court fees will not apply to civil proceedings pertaining to the act.
The legislative process now involves parliamentary debates on the draft act, subsequent to which the final draft shall enter into force (subject to a referendum). There is currently no date for the entry into force of the revised act, although it is expected to take place on August 1 2018 as the Federal Council wishes to implement the new legislation as soon as possible in line with international engagements.
For further information on this topic please contact Jürg Schneider or David Vasella at Walder Wyss Ltd by telephone (+41 58 658 58 58) or email (firstname.lastname@example.org or email@example.com). The Walder Wyss website can be accessed at www.walderwyss.com.
(1) An unofficial English translation of the draft act will be available shortly at www.dataprotection.ch.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.