Behind the scenes
Improved financial planning thanks to new Demand Forecast model
by Florian Schwarb
The New Federal Act on Data Protection is here
1.2.2023
Translation: Patrik Stainbrook
As of 1 September 2023, the New Federal Act on Data Protection will come into force in Switzerland. We spoke with lawyer and data protection expert David Vasella to find out what will change for consumers and how companies must prepare for this.
In May 2018, the European Union introduced the new General Data Protection Regulation (GDPR). More than five years later, «special case Switzerland» is following suit with its version of the updated Federal Act on Data Protection (FADP). David Vasella, who holds a doctorate in law and is a partner in the law firm Walder Wyss AG, has been dealing with all facets of data protection for years. He’s very familiar with the new laws and regulations that administrations in Brussels and Bern have finally spat out after years of debate.
David: Why does Switzerland need a new Federal Act on Data Protection?
The first federal law on data protection dates back to 1992. In that year Neymar was born, Windows 3.0 was released, Kurt Cobain rocked the globe with Nirvana and Bill Clinton was the President of the USA. Only three years earlier, the World Wide Web had been developed. In short, that’s quite a while ago. Much has changed since then. The New Federal Act on Data Protection is intended to take into account technical and social developments since then. At the same time, it must be compatible with EU law – that is, with the General Data Protection Regulation (GDPR) and a revised convention that Switzerland must implement. Ensuring the free flow of data with our European neighbours is definitely in our interest.
What’s new about the «new» law?
As far as processing standards are concerned, everything remains the same. In principle, no consent or other approval is required for the use of personal data. At least as long as the use of personal data follows the principles of transparency and no data is misappropriated. However, the new law still provides for a second, third and fourth line of defence to ensure comprehensive data protection – a kind of layered, onion-like principle for data protection.
What exactly do these «onion layers» look like?
The second layer consists of flanking measures, such as documentation or risk assessments. The third layer is formed by consumers themselves. They have clearly defined rights and must be actively informed about most data processing. They can also revoke consent and request information about the processing of their data.
That leaves the fourth layer – enforcing the law. Today, the Federal Data Protection and Information Commissioner (FDPIC) can only make recommendations and subsequently bring an action before the Federal Administrative Court if he believes that data protection laws are being violated. Such processes last years. The FDPIC can now issue direct rulings and, for example, demand the adjustment of a data processing operation. If a company disagrees, it must appeal to the Federal Administrative Court.
What specifically happens when companies don’t comply with the Federal Act on Data Protection?
Certain violations are already subject to fines. In practice, however, they’re practically never applied. This changes with the new law. For example, if someone violates the duty to inform, provides incomplete or false data protection information, or transfers personal data abroad without authorisation, a fine of up to CHF 250,000 can be imposed. It’s important to note here that a fine won’t be imposed on a company itself, but primarily on the person who was effectively responsible for the violation of the Federal Act on Data Protection. Anyone who handles personal data therefore has a great interest in taking their job seriously.
As a consumer, what do I need to know about the new FADP?
Basically, not much. It’s companies that have a duty to handle data correctly. You can count on that. If you get a bad feeling, you have all the necessary rights to information to find out how a company handles your personal data.
And how does the new FADP now protect consumer data?
First and foremost, consumer rights are strengthened and transparency is increased. All companies must publish new privacy statements, for example. While this sounds good, it’s not really a useful solution. Even I, as a lawyer, have neither the time nor the will to read all those data protection declarations. However, it’s fundamentally better that companies need to meet more flanking measures to handle personal data consciously and responsibly. Then there are the enforcement mechanisms. As mentioned, the FDPIC can now intervene directly if it believes that data protection is being violated.
The new FADP thus takes a novel approach. Consumer protection is comprehensive and rests on several intertwined pillars. If this has the consequence of effectively improving data protection and protecting consumer confidence, it’s always a good thing.
What obligations do companies have?
Data protection laws impose a significant number of different obligations on companies – and even more on federal bodies. To explain this in detail here would probably bore your users. In short, I’d put it like this: first and foremost, companies have to comply with a series of procedural measures designed to ensure data protection. Still, legislators aren’t asking anyone to die on the hill of data protection, but to manage risks pragmatically. In the age of digitalisation, this is essential anyway.
How will or should the new FADP affect the data protection of an online retailer such as Digitec Galaxus?
Many online retailers already have very good awareness surrounding data protection. Especially in the online sector, data is worth its proverbial weight in gold. It’s usually handled responsibly. This is also due to the fact that EU law, i.e. the GDPR among other things, also applies to Swiss online retailers who are active in Europe. Regarding cookies and online marketing in general, EU law often applies as well. Many Swiss stores already display cookie banners and ask customers if they’re allowed to use them. Under Swiss law, this wouldn’t be necessary at all. EU practices have been affecting Switzerland for a long time.
Constantly having to click through cookie banners is really annoying. What does this have to do with data protection?
The idea is that customers themselves determine what happens to their data online. It’s a valid concern, even if cookie banners are annoying. However, online stores rely heavily on customer trust as they often process sensitive data. So you’re better off explaining to customers what happens to their data. The new FADP is therefore also an opportunity to deal with data in a more transparent way externally and in a more structured way internally. No questions asked: this will have a positive impact on data protection.
Does the new FADP also bring progress in terms of cyber security?
Yes and no. The new FADP contains hardly any specific requirements for cyber security. This also isn’t absolutely necessary. Under current and future law, companies are generally obliged to ensure «appropriate data security» by means of technical and organisational measures. The law doesn’t list any specific measures for this purpose. This would be near impossible anyway. But the new FADP provides for a reporting obligation in the event of data security breaches. If a company is hacked, it may have to report this to the FDPIC. Anyone affected by a security breach must also be informed if this is necessary for their protection.
So, parliament has spent four years brooding over the new FADP, even though a new data protection regulation (GDPR) has long been in force in the EU? Why does Switzerland need a special solution?
That’s a good question. We could’ve simply adopted the GDPR. But European legislation is shaped by a very different culture than data protection laws in Switzerland. The spirit of prohibition pervades the EU. Some regulations are nitpicky and very detailed, which ultimately leads to an enormous amount of documentation. All of this fits poorly with the more liberal Switzerland. In addition, a Swiss GDPR wouldn’t have been able to gain a majority in parliament. Topics such as profiling or the new right to data portability have already prompted endless discussions. In the end, the legislature chose a middle ground.
Are there also differences in content from the New Federal Act on Data Protection to the European GDPR?
Yes, there are many. In simplified terms, I’d describe the new FADP as GDPR-light. A typical example is the obligation to report security breaches. Although this has been adopted in principle, it’s more pragmatic in its implementation than is the case with our colleagues in Brussels. Minor breaches, for example, don’t have to be reported in Switzerland. The same goes for other points.
But there are also cases where the FADP is stricter than the GDPR – for example, in the case of particularly risky processing, there’s an obligation to create processing regulations.
Thank you for your time.
Tobias Billeter
Head of Corporate Communications
Tobias.Billeter@digitecgalaxus.chMaking sure employees and media know what's up at Digitec Galaxus is my job. But without fresh air and a lot of exercise, I basically stop functioning. The great outdoors provides me with the energy I need to stay on the ball. Jazz gives me the tranquility to tame my kids.
36 comments
later