On September 15, the Swiss Federal Council published a bill for the comprehensive revision of the Swiss Federal Data Protection Act. The revision intends to adapt data protection law for the era of the internet and social media and to improve protection of privacy. Also, it shall implement certain developments of EU-law (Regulation 2016/679: General Data Protection Regulation) and make sure that data exchanges are still possible between entities domiciled in Switzerland and the EU. The revised Swiss Federal Data Protection Act shall be enacted by August 2018. Here are some of the key features of the bill, which will have a big impact on enterprises in Switzerland and their need to adjust compliance in data protection law.

More transparency – more work for data controllers

While data relating to legal entities will no longer be protected under the revised Data Protection Act, the rights of individuals are strengthened and the transparency in data processing will be increased. In particular, data controllers will have to notify an individual about any personal data collection. This duty to notify does not only apply if personal data is collected directly, but also if collected via a third party. The scope of the notification remains unclear and needs to be determined in view of the general objective to enable individuals to exercise their rights under the data protection law.

Privacy impact assessment – a new regulatory tool

Data controllers will have to conduct a "privacy impact assessment" if the processing of personal data may impose an increased risk to the fundamental privacy rights of an individual (for example, in the case of processing of sensitive personal data such as religious or political views, health, the intimate sphere or racial origin). The privacy impact assessment is an instrument to identify and assess such risks and to determine appropriate measures to deal with such risks. The controllers must notify the Data Protection Supervisor about the outcome of the privacy impact assessment.

Criminal sanctions for individuals

Sanctions for violation of data protection rules will be increased significantly. Fines of up to 250,000 Swiss francs may be levied for offences against certain provisions of the act. Most remarkably, sanctions will not be imposed on companies, but on employees who fail to comply with their duties under the Data Protection Act.

Free transparency claims and free access to courts

Under the revised Data Protection Act, any person may request information from a data controller and may also request to be provided with the respective data at no cost. No court fees will be levied in civil court disputes related to the enforcement of data protection rights.

Additional powers for Data Protection Supervisor

The role of the Data Protection Supervisor shall be strengthened. The Data Protection Supervisor may investigate and issue binding administrative decisions (and not only recommendations as provided by the current Data Protection Act) regarding controllers and processors (for example, modify or terminate unlawful processing). However, the Data Protection Supervisor shall not have any power to impose criminal sanctions; such sanctions will be imposed by criminal courts based on proceedings led by criminal prosecutors.

Self-regulation

The revised Data Protection Act promotes self-regulation. The industry may establish codes of conduct (to be approved by the Data Protection Supervisor) and controllers and processors will in general be deemed to comply with the Data Protection Act if they comply with such self-regulated standards.

Cross-border data transfers

The cross-border transfer system already existing under the Data Protection Act shall be maintained. Thus, cross-border disclosures are still permitted to countries offering adequate protection of personal data. However, it will be the Federal Council (instead of the Data Protection Supervisor) which decides whether a country provides adequate protection. For data transfers to jurisdictions not providing adequate protection, data exporting controllers or processors may continue to rely on treaties, contractual clauses, binding corporate rules or other guarantees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.