The new data protection law
A new data protection law was long overdue. The technical and political tug-of-war took a significant amount of time; Parliament examined the proposal in detail in 2019/2020, although it was not quite clear until the very end whether the two chambers would come to an agreement or if, instead, the new FADP would come to nothing. However, given the importance of the law and some of the extremely complex questions it addresses, the length of this political process is understandable.
The most important thing to know about the revised FADP is that it is not simply a copy of the EU’s General Data Protection Regulation (GDPR). Features specific to Switzerland have either been retained or new ones introduced. However, a certain degree of alignment with the GDPR and the adoption of some of the rules it contains was unavoidable. Numerous overviews and papers providing in-depth and helpful comparisons of the prevailing Swiss law and the GDPR can already be found on the internet and in related literature.1 Only a subjective selection of the most important differences is therefore listed here:
Particularly sensitive personal data:
Although the term “particularly sensitive personal data” is identical to the term used in the GDPR, the definition thereof is not identical and is broader in scope than in the provision contained in the current FADP. This category now also includes data relating to a person’s ethnic group as well as genetic and biometric data that identifies a natural person.
This concept is a new addition to the Swiss Data Protection Act and was taken from the GDPR. Put simply, profiling is the automated assessment of personal data such as data concerning health, location, etc. Two types exist: “profiling” and “high-risk profiling”. The latter consists of profiling that links data in a way that makes it is possible to determine important aspects of the data subject. This is very similar to the concept of “personality profile” contained in the existing FADP, but that is no longer included in the new FADP.2 The term “high risk” indicates an increased probability of a breach of privacy. The new FADP does not contain a basic requirement to obtain consent for profiling from the data subjects.
Broader duty to provide information:
The duties for those responsible (i.e. the person or federal body that determines the purpose and means of data processing) to provide information are significantly expanded in the new FADP. On the one hand, data subjects will basically have to be informed in every instance that personal data is collected (no longer only for sensitive personal data). On the other hand, this duty to inform data subjects will cover a broader range of data. Under the new FADP, the minimum information to be provided are the identity and contact details of the person or federal body responsible, the purpose of data processing and, if applicable, the recipients of the personal data, if no data is disclosed abroad. If data is disclosed abroad, then additional duties to provide information apply.
Rights of data subjects:
Data subjects (who, for the purpose of the act, are understood as being natural persons whose personal data are processed) now have the right to receive and transmit data, in addition to the expanded rights relating to information (see above) and disclosure. Because software (which includes artificial intelligence) is increasingly being used, and because this software sometimes performs automated decision-making tasks (e.g. software-based selection of dossiers during an application process), a right to object has been introduced in cases of automated decision-making. Within this framework, the subject may demand that the automated decision be reviewed by a natural person.
For a number of years now, there has been a tendency to give various administrative bodies the power to impose penalties and to include (more stringent) criminal provisions in laws to ensure the enforcement of regulations. This is now also reflected in the new FAPD. Criminal provisions already exist in the current FAPD, but the list of offences has been significantly expanded and the maximum fine increased to CHF 250,000. In contrast to the FAPD, it is not a company but the responsible natural person that can be held liable, which means this increase in the fine is considerable.
Regulated professions and industries, such as lawyers or banks, are already familiar with legally binding professional secrecy that is punishable if violated. The new FAPD introduces professional secrecy for all professions. For example, anyone who deliberately discloses confidential personal data that has come to their knowledge while exercising their profession will be fined up to CHF 250,000. It should be noted that this duty of secrecy explicitly also applies even after the termination of professional activities (or training).
What is interesting and worth mentioning about the new FADP is that making the misuse of identity a criminal offence, which has long been called for by experts and politicians, has in the course of the revision now found its way into the Criminal Code.
Viewed overall, the revision of the Swiss Data Protection Act results in a closer alignment with the European standard. However, features particular to Switzerland have been preserved. The consultations on the revised ordinance (likely to take place in the first quarter of 2021) are now eagerly awaited. In the meantime, one thing is clear: companies that have already implemented a GDPR standard will have no trouble implementing the new FADP.
1 See, for example, numerous comments and essays at www.datenrecht.ch; a synopsis of the FADP, GDPR and revised FADP by MEYENBERGER LUSTENBERGER LACHENAL (MML) dated 19.10.2020, which can be found at www.mml-news.com; and DAVID ROSENTHAL, Das neue Datenschutzgesetz, in: Jusletter 16.11.2020.
2 See ROSENTHAL, das neue Datenschutzgesetz, RN 27.