On 15 September 2017, the Swiss Federal Council issued the draft of the revised Swiss Federal Data Protection Act (DPA). This draft arrives approximately nine months after the publication of the preliminary draft, which was issued on 21 December 2016, and marks yet another decisive step towards the overhaul of the Swiss data protection landscape.
The draft DPA, the explanatory report of the Swiss Federal Council and the summary of the results of the consultation process are available here in German, French and Italian. An unofficial English translation of the draft DPA is available here.
The DPA revision is an ongoing process intended to modernise Switzerland’s data protection landscape and align it with revised EU legislation. For further information on this process, see our news of 22 December 2016 available here.
Some key novelties of the draft DPA compared to the present DPA are:
- Transparency in data processing is increased. In particular, private sector actors will have a duty to inform data subjects in the event of data collection and processing;
- Self-regulation shall be encouraged. Professional and business associations may prepare codes of conduct and submit them to the Federal Data Protection and Information Commissioner (Commissioner) for the delivery of an opinion;
- The data controller will have to perform an impact assessment whenever it appears that envisaged data processing may lead to an increased risk on the data subjects’ personality and fundamental rights, although some exceptions apply;
- A duty to notify the Commissioner or even the data subjects in cases of breach of data protection will bind data controllers;
- The present rules on personality profiles will be abolished. However, they will be replaced by new rules on profiling;
- The draft introduces privacy by design and privacy by default. Hence, data protection must take place from the outset, i.e. from the conception of the processing, and the least invasive settings must be applied by default;
- The duty to declare the file to the Commissioner will be abolished for private actors. Data controllers and data processers must however keep an inventory of their processing activities;
- Protection for data specifically pertaining to legal entities will be removed from the DPA;
- The Commissioner shall obtain greater powers. He will be able to render binding decisions on data controllers and processors;
- Criminal sanctions for data protection misconduct will be increased significantly. In fact, fines of up to CHF 250,000 may be levied in case of intentional offenses against certain provisions of the revised DPA;
- Various amendments to other laws will be implemented alongside the revision of the DPA. This will in particular impact the Swiss Federal Penal Code (CP), the Swiss Federal Code of Penal Procedure (CPP) and the Swiss Federal Code on Civil Procedure (CCP). In particular, no court fees will apply to civil proceedings pertaining to the DPA.
The legislative process now involves parliamentary debates on the draft DPA, subsequently to which the final draft shall enter into force (subject to referendum). There is currently no date for the entry into force of the revised DPA, although this might take place on 1 August 2018 as the Swiss Federal Council wishes to implement the new legislation as soon as possible in line with international engagements.
We have prepared a chart comparing the provisions of the draft DPA to those of the current DPA and those of the preliminary draft. The chart can be found here (available in German only).