27 June 2017 – On 26 June 2017, the FDPIC published his activity report for 2016/2017 (Report). The Report is available here, in German, French and Italian. The Report provides valuable insight into the activities of the FDPIC over the past 12 months and offers several hints on some key focus areas to watch out for in the future.

The Report is broad and covers not only data protection matters but also issues pertaining to freedom of information as this is also part of the FDPIC’s mandate. Therefore, questions ranging from data protection concerns in fitness wearables to access to information in public procurement procedures are addressed in the Report.

In particular, we can highlight the following topics covered by the Report:

• The preliminary draft of the new Federal Act on Data Protection was published in December 2016 (see our dedicated section on this topic here);
• The FDPIC is closely following, and participating in, international data protection developments. He will in particular also focus on the practical implementation of the Swiss-US Privacy Shield, which was established in January 2017 (see our News dated 12 January 2017) and under which certifications are open as of 12 April 2017 (see our News dated 12 April 2017);
• In the IT sector, the FDPIC describes data protection requirements for Microsoft’s Windows 10 operating system. According to the FDPIC, the solution reached by mutual agreement with Microsoft will as of now serve as a minimum standard as regards the processing of personal data for software applications and services of other businesses;
• The Internet Protocol IPv6 which, according to the FDPIC, creates privacy risks that need to be addressed;
• Electronic patient files which will increase the FDPIC’s workload as he is in charge of data protection surveillance (see our News dated 14 April 2017);
• Electronic identity where a draft act might lead to the widespread and generalised use of the Swiss social security number (AHV/AVS) as a personal identifier (see our News dated 23 February 2017); and
• The automatic exchange of information in the fiscal realm, data being collected throughout 2017 with the first automatic exchanges to take place in 2018.

As a more general comment, we have noticed that the FDPIC appears intent on keeping up to speed with the new technologies. The FDPIC for instance mentions “Big Data” six times throughout the Report, compared to only one mention in last year’s report. With the changes on the EU level due to the General Data Protection Regulation (GDPR), which is set to take effect on 25 May 2018, as well as the current revision of the Swiss Federal Data Protection Act, we would not be surprised to see additional scrutiny by the FDPIC of businesses relying on big data in the course of their daily operations, especially when their processing activities concern consumers.