At its today’s meeting the Report “Variants for reporting obligations of critical infrastructures in the event of serious security incidents”. The report is intended to contribute to a well-founded discussion of reporting obligations. It sheds light on various facets of reporting obligations, describes the context of existing reporting obligations in Switzerland and abroad, and develops various basic models for reporting obligations as possible variants for implementation. Based on these results, the Federal Council intends to make fundamental decisions on the introduction of reporting obligations by the end of 2020.
It is noteworthy that the report only mentions the obligation to report data protection-related incidents in connection with the European GDPR and its fines (Report, S. 11). This does not take into account the obligation to report, which is already provided for in Art. 22 E‑DSG is provided for data security breaches to the FDPIC. The advice of the E‑DSG will be discussed in the Council of States on December 18, 2019 continued, whereby no changes are expected with regard to the reporting obligation.
The report thus does not address the relationship between the reporting obligation under the revised FADP and that under a possible future cybersecurity decree. The test mandates of the Federal Council, parliament and the expert group on the future of data processing and data security mentioned in the report each aim to protect critical infrastructures (Report, p. 4 f.). Thus, it can be assumed that the reporting obligations should only apply to operators of critical infrastructures, as is already the case in other countries with regard to cybersecurity. The reporting obligation under Art. 22 Para. 1 E‑DSG on the other hand, addresses all data controllers and thus has a larger circle of addressees.
It is therefore conceivable that operators of critical infrastructures will have to submit two reports in future – one to the FDPIC and one to a (centralized or decentralized) cybersecurity reporting office. In the case of the former, the focus is on personal protection, while in the case of the latter, the focus is on system protection or the aspect of the state’s supervisory duty vis-à-vis the economy. Coordination of the reporting offices is desirable with regard to all protection goals.