12 December 2019 – Following its decision of 30 October 2019, the Federal Council adopted the dispatch on the approval of the Protocol amending the Data Protection Convention of the Council of Europe at its meeting of 6 December 2019. However, ratification still requires the approval of Parliament. Accession to the modernised Convention will ensure that the increasing data protection requirements for the processing of personal data in an international context are met. In particular, cross-border data traffic will also be facilitated; for example, the EU Commission takes into account whether the relevant third countries have acceded to the Convention when deciding on the existence of an adequate level of data protection in a third country.

According to the Protocol of Amendment, various obligations of the person responsible will be extended, such as reporting obligations to the supervisory authority in the event of data protection violations, an obligation to carry out a data protection impact assessment and the duty of the person responsible to provide information. Furthermore, the principles of Privacy by Design and Privacy by Default will be anchored. In addition, the signatory states are urged to introduce a system of sanctions and legal remedies, which goes hand in hand with the authority of the supervisory authorities to issue binding decisions; this point will probably be one of the main sticking points against the background of the system of Swiss data protection law.

The corresponding amendments must also be included in the Data Protection Act (DPA); the draft of the revised DPA has just been discussed by the Commission of the Council of States and will now be debated in the Council of States within the framework of the current winter session. As soon as the consultations in this sense have been concluded, both the DPA and the Federal Decree approving the new Data Protection Convention can be adopted and the new Data Protection Convention ratified.

It should be noted that ratification is also binding on the cantons. They are obliged to comply with the new requirements of the Protocol of Amendment and to implement them in their legislation, i.e. the cantonal data protection laws will also have to be adapted if necessary.