- Federal Council adopted dispatch approving the protocol of amendment to the Data Protection Convention; parliamentary approval required for ratification.
- Protocol extends controller obligations (reporting obligations, data protection impact assessment, duty to inform, privacy by design/default) and calls for sanction and redress mechanisms.
- Adaptation of the national DPA and cantonal laws necessary; Council of States debates revision, then possible entry into force and ratification.
As a result of its Decision of October 30, 2019 At its meeting on December 6, 2019, the Federal Council approved the Message on the approval of the Protocol amending the Council of Europe Convention on Data Protection passed. However, parliamentary approval is still required for ratification. Accession to the modernized convention will ensure that the increasing data protection requirements for data processing of personal data in an international context are met. In particular, it will also facilitate cross-border data traffic; when deciding whether an adequate level of data protection exists in a third country, the EU Commission will take into account whether the third countries concerned have acceded to the convention.
According to the amendment protocol, various obligations of the controller are expanded, such as the notification obligations to the supervisory authority in the event of data protection violations, an obligation to conduct a data protection impact assessment, and the information obligation of the controller. Furthermore, the principles of privacy by design and privacy by default are anchored. The contracting states are also required to introduce a system of sanctions and legal remedies, which goes hand in hand with the authority of the supervisory authorities to issue binding decisions; against the backdrop of the systematics of Swiss data protection law, this point will probably be one of the main sticking points.
The corresponding adaptations are also to be included in the Data Protection Act (DPA); the draft for the revised DPA has just been discussed by the Commission of the Council of States and is now being debated in the Council of States as part of the winter session currently underway. As soon as the deliberations along these lines have been concluded, both the DPA and the federal resolution approving the new data protection convention can be adopted and the new data protection convention ratified.
It should be noted that ratification is also binding on the cantons. They are obliged to comply with the new requirements of the amending protocol and to implement them in their law, i.e. the cantonal data protection laws may also have to be adapted.