Data Protection in Switzerland: a preview
The Federal Act on Data Protection (FADP) was first enacted in 1993 and is currently subject to a complete revision. It applies only to the processing of data pertaining to natural persons and legal persons by private persons and federal bodies. Cantons and communes have their own data protection acts regarding the processing of data by their authorities. Other sectoral laws contain provisions that apply to specific sectors (e.g. employment law and social security law).
Switzerland is not part of the European Union but signed many agreements with the European Commission in various fields (e.g. free trade, insurance, customs facilitation, security, free movement of persons, research). Switzerland achieved adequacy status under the 1995 Data Protection Directive.
GDPR Effects for Switzerland
Swiss organisations fear that Switzerland may lose its adequacy status between the 25th of May 2018 and the entry into force of its revised FADP, which may not happen before mid 2019. At the moment nobody knows when the European Commission will revaluate the adequacy decisions and there is no evidence the European Commission intends to imminently change its mind regarding Switzerland’s status. It is clear, however, that the result of the revaluation will depend on the choices made by the Swiss Parliament regarding the FADP’s overhaul. Should the European Commission refuse to maintain the Switzerland’s status, the effects on the Swiss market and especially the SMEs would be problematic. Swiss companies could have to commit to respecting GDPR provisions (e.g. through Binding corporate rules or model clauses).
The GDPR applies to the processing of personal data by a controller or processor outside the European Union, if the data subjects are in the Union, and if the controller or processor is offering goods and services to those in the Union, or monitoring the behaviour of those within the EU (§ 3.2 GDPR). There is no doubt that Swiss organisations are subject to GDPR if one of these two conditions is fulfilled, even though they do not have an establishment in the EU.
However, GDPR creates uncertainties and impracticalities regarding Swiss organisations and their relationship to European authorities and supervisory authorities. Here is a selection.
- Some Swiss companies are required by law to process personal data in order to fulfil their mandate (e.g. social security). There could be a conflict of laws between the GDPR and the sectoral laws regarding the legal framework that must be applied to European residents. The abovementioned agreements between the EU and Switzerland would possibly need to be revised in order to take this problem into account.
- Numerous recitals and provisions of the GDPR refer to the law of the Member States (e.g. regarding the processing of special categories of personal data, § 9.2 GDPR). Switzerland is not a Member State, which means Swiss national laws have no effect regarding the GDPR recitals and provisions referring to Member States law, even though GDPR applies to Swiss organisations according to § 3.2 GDPR. Were the Swiss adequacy status maintained or not, it would have no impact on this issue.
- For example, organisations in the EU must communicate the details of their data protection officer to the supervisory authority (§ 37.7 GDPR). Who is the European supervisory authority for a Swiss organisation that has no establishment in the EU? It cannot be a Swiss authority because the supervisory authority must be established in a Member State. Can a Swiss organisation therefore ‘choose’ its supervisory authority amongst Member States when it has no establishment within the EU? As Switzerland’s main languages are German, French and Italian, it is likely that Swiss organisations will communicate with authorities that speak their language, or ‘choose’ the supervisory authority of the Member State in which they have more customers.
- Switzerland’s economic actors are mainly SMEs, and these have generally no establishment abroad. Without an establishment in the EU to investigate, European and Member States’ supervisory authorities will be tasked with investigating data protection suspected violations directly in Switzerland. However, Swiss sovereignty prevents this from happening without an agreement between Switzerland and the European Commission (and possibly the Member States).
- This raises the question about whether Swiss authorities will collaborate with European supervisory authorities when the latter need to investigate Swiss organisation’s processing activities in Switzerland. There is no doubt the Swiss federal supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), will want to collaborate with European supervisory authorities regarding their investigations will create an official collaboration between the European Data Protection Board (EDPB) and European Free Trade Association (EFTA) DPAs or integrate EFPA DPAs into the EDPB as observer/consultative parties.
- Another question is whether the FDPIC will have the resources to do it. In 2017, its budget amounted to about 5.7 million Swiss Francs, with 5.1 million only for salaries and other staff-related expenses. In March 2018 the FDPIC had an equivalent of 27 full-time employees.
- How will administrative fines and other corrective measures be enforced if they are imposed on Swiss organisations that have no establishment in the EU? In order to protect the Swiss sovereignty, agreements will need to be signed (if they are not already) with the European Commission and the Member States. It needs to be specified clearly that the FDPIC will not enforce the GDPR against Swiss organisations. The FDPIC will certainly collaborate to Europeans investigations but will not take measures against Swiss companies based on the GDPR. (So, will this render the GDPR toothless/ineffective? How can Swiss organisations be ‘persuaded’ to comply – is it the threat of not renewing an adequacy decision?)
- As mentioned by the Swiss Government in a response to a Member of the Federal Parliament’s question, another issue is the concept of double jeopardy (i.e. the same misconduct cannot be prosecuted more than once; ne bis in idem principle). The current FADP does not lay down any administrative penalty for failures to comply with data protection laws. However, it is proposed (though Parliament has not yet finally agreed that) the revised FADP should introduce fines up to 250,000 Swiss Francs (currently approximately 200,000 euros). This maximal amount is nothing in comparison to the fines introduced by the GDPR (§ 83). If the same data protection violation by the same Swiss organisation is prosecuted by an European administrative authority (e.g. a supervisory authority) and a Swiss criminal authority, the latter could take into account the European authority sanction only if it qualifies as a criminal sanction according to the European Court of Human Rights (Engel and others v. The Netherlands [GC], no 5100/71, § 50, ECHR 1976), which could be the case.
The wording of GDPR is often not clear and brings confusion to European companies and supervisory authorities. The situation is worse and rather more complex for non-Member States like Switzerland and their organisations that face numerous specific questions, a selection of which was highlighted above. Regardless of these specific uncertainties, Swiss organisations have the same problems as European organisations regarding GDPR implementation.
Don’t miss tomorrow our final contribution on UK and the GDPR by Karen Mac Kullagh