On September 1, IAPP's KnowledgeNet in Basel, Switzerland, hosted a presentation on the revision process of the Swiss Federal Act on Data Protection (FADP), delivered by David Rosenthal, a member of the data protection expert working group.
Rosenthal started with an explanation of the two triggers behind the revision process of the FADP: In 1997, Switzerland ratified the Convention 108 for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108) and transposed it into the national law in the form of its FADP. Convention 108 is currently under revision and will be completed by the end of 2015. From there, EU member states will have two years to incorporate changes into their national laws. The majority of definitions, principles and concepts discussed in the revision process of Convention 108 are compatible with the EU General Data Protection Regulation (GDPR).
Secondly, in December 2011, the Swiss Federal Council evaluated the FADP and issued a report outlining areas for potential improvement. As the next step, a data protection expert group was formed to provide input on the identified areas for improvement. On April 1, the Federal Council instructed the Federal Department of Justice and Police to prepare a draft of the revised FADP by August 2016. In that process they were asked to take into account changes proposed in the first place by the revised Convention 108. Once the draft is prepared, a public consultation will be held.
Major Changes to the FADP
- The FADP's definition of sensitive personal data is likely to be extended to biometric and genetic data. However, a risk-based approach to the processing of sensitive data will remain, as opposed to the EU concept of explicit consent.
- The concept of "personality profile" is likely to be deleted from the current FADP.
- Currently, the FADP distinguishes between "data owners" and "parties mandating processors," but it is likely to adopt the terms “data controller" and "data processor" as used in Convention 108.
- In order to enforce the principles of Convention 108, member states agreed to extend powers of data protection authorities (DPAs) that will have the possibility to directly take action against companies violating law and introduced administrative sanctions in case of such violation. It is expected that Switzerland will adopt fines as similarly construed in the Cartel Act and Telecommunications Act and go up to 10 percent of annual Swiss revenue.
Extension of Already-Existing Requirements
- The duty to provide data subject with notice is likely to be extended. The type of information that should be provided to data subjects may be broader and include also controller's identity, the legal basis and purposes of processing, the categories of data, the categories of recipients and the means of exercising rights of data subjects. Especially, the purpose of data processing will be given a particular attention and companies will have to make sure that they explain in detail what are they doing with data and how it is being used. However, there may be no need to inform the data subject when data is obtained from third parties and it is "impossible" or "involves disproportionate effort" to gain such information about data processing.
- The right of access to data is likely to be extended as opposed to the current obligation that applies only to data files. What is more, information on the reasoning underlying the results of automated decision-making process applied to the data subject, e.g., explanation on why the creditworthiness of a person is particularly low, will have to be communicated to the data subject. However, the right will be executed only if the decision is significantly affecting the data subject and exceptions are possible on the basis of sufficient justification. Another option being taken into account is introduction of the "right of reconsideration" of the automated decision instead of granting just an additional right of consultation.
Provisions Left “As Is”
- Revised Convention 108 does not require any change in the scope of applicability of the FADP. Furthermore, it does not require any other fundamental changes to the basic concepts and definitions.
- It is unlikely, in comparison to the new GDPR that there will be introduction of the right to be forgotten. It has been concluded in the meeting of the data protection expert group that it is not necessary, given that the FADP already provides for "the right to be forgotten" under "the right of objection or correction of data." Nevertheless, there may be a political pressure to introduce an obligation to inform third parties of deletion requests.
Additional New Obligations
- The FADP is likely to introduce a data breach notification obligation. In case a data breach "seriously interferes with the rights and fundamental freedoms of data subjects," this will have to be notified at least to the DPA. The DPA will then decide whether data subjects should be notified or not. The Federal Office of Justice currently discusses whether introduction of any thresholds is necessary to notify data subjects.
- The FADP is likely to introduce mandatory privacy impact assessments and obligation to implement Privacy by Design. The first one aims to oblige a company to evaluate the effects of each and every data processing on data subjects. The second one strengthens already-existing requirements prescribing adoption of adequate technical and organizational measures. It requires designing data processing in a manner that will prevent or limit the risk of an infringement of one's right to data protection and is adequately addressing identified risks, the nature of data processing and volume of data and size of the company. Upon request from a data protection authority, a company may have to demonstrate compliance with these duties supported by relevant documentation.
Rosenthal concluded that politicians seem to realize that excessive data protection regulations can cause considerable damage without really improving anything; however, they want to set a sign that companies should start taking data protection seriously. For the private sector in Switzerland, the revised Convention 108 will be much more important than the new GDPR. The advantage is that Swiss lawmakers take a much more pragmatic approach to revision of the FADP than the EU lawmakers. Companies should not be afraid of the changes, since it is unlikely it will be a revolution in data protection but rather an evolution. However, companies should now start considering making a greater investment in data protection compliance and governance if they have not done so to date.
As the first step towards preparation to changing legal landscape, companies should consider assessing the current maturity level of their data protection program.
If you want to comment on this post, you need to login.