The Federal Council has issued a preliminary draft of a revised Swiss Federal Data Protection Act – Businesses will need to adapt

22. Dezember 2016 – On 21 December 2016, the Swiss Federal Council issued the long-awaited preliminary draft of a revised Swiss Federal Data Protection Act (DPA), proposing a major overhaul of the current data protection regime (documentation available here). Businesses are strongly advised to anticipate these changes and adapt their practices in a timely manner.

The overhaul of the DPA has been prompted in part by the changes affecting European legislation. Indeed, two European acts, Regulation EU 2016/679 – the so-called General Data Protection Regulation –, and Directive EU 2016/680, as well as amendments to the Council of Europe Treaty 108 bring extensive changes to the legal landscape.

Moreover, the fast-evolving technological backdrop has progressively been eroding the relevance of the present DPA, which was drafted before the emergence of many of today’s key technologies and processes.

The preliminary draft contains many novelties and departs from the present DPA in a number of ways which must be anticipated. In particular, we highlight the following essential aspects of the proposed revision:

  • Transparency in data processing is increased. In particular, data subjects must be informed about the collection and processing of personal data;
  • The controller will have to perform an impact assessment whenever it appears that envisaged data processing may lead to an increased risk affecting the data subjects’ personality and fundamental rights;
  • Data breaches shall be notified to the Federal Data Protection and Information Commissioner (Commissioner) unless an exception applies;
  • Data processors may only engage sub-processors with the prior written consent of the controller;
  • The concept of “personality profile” is replaced by “profiling”;
  • The preliminary draft introduces data protection by design and data protection by default. Hence, data protection shall be taken into consideration from the outset of a conceived data processing, in particular by implementing appropriate technical data protection measures and any data processing must be set up with privacy by default settings;
  • Protection for data pertaining to legal entities shall be removed from the DPA. The Federal Council considers that such a protection never played a fundamental role and, more importantly, contradicts European law which grants no such protection;
  • Self-regulation shall be encouraged and the Commissioner shall be called upon to edict extensive good practice recommendations;
  • The duty to declare files to the Commissioner shall be abolished for private persons. An obligation to document the data processing will however replace it;
  • The Commissioner shall have the competence to render binding decisions;
  • Criminal sanctions for data protection misconduct shall be increased significantly. In particular, fines of up to CHF 500,000 may be levied in case of offenses against the revised DPA;
  • Various amendments to other laws shall be implemented alongside the revision of the DPA. This will in particular impact the Swiss Federal Penal Code (CP) and the Swiss Federal Code of Penal Procedure (CPP).

The legislative process will follow through, with the consultation period running until 4 April 2017. The final wording and entry into force of the revision depends on the outcome of the consultation process and the subsequent parliamentary debates.

We nevertheless encourage businesses to use this time to proactively assess the preliminary draft’s impact on their activities and already start implementing or elaborating processes that will comply with the expected text of the future DPA. In particular, the following steps are helpful:

  • auditing the internal data protection processes;
  • performing a risk assessment in anticipation of the revised DPA;
  • reviewing and/or enhancing contracts, policies, documentation and practices.

Businesses will have to appraise on a case-by-case basis the extent to which their data protection processes need to be modified.