Out with the old, in with the new: The revi­sed DPA enters into force

Today, on August 31, 2023, the long revi­si­on of data pro­tec­tion law in Switz­er­land comes to a pro­vi­sio­nal end – pro­vi­sio­nal becau­se it is fore­seeable that the DPA will face a fate simi­lar to that of the UCA: it is adap­ta­ble to all data-rela­ted con­cerns and is the­r­e­fo­re likely to be con­ti­nuous­ly sup­ple­men­ted. But this is spe­cu­la­ti­on; now, on Sep­tem­ber 1, at 00:00, the revi­sed DPA will enter into force.

For many com­pa­nies, the revi­si­on pha­se meant a pro­found exami­na­ti­on of their hand­ling of per­so­nal data and the inter­nal orga­nizatio­nal frame­work con­di­ti­ons – natu­ral­ly also or espe­ci­al­ly against the back­ground of the GDPR and other inter­na­tio­nal deve­lo­p­ments. More or less inde­pen­dent posi­ti­ons were fil­led (inde­pen­dence being less a que­sti­on of being free from ins­truc­tions, con­flicts of inte­rest, and report­ing lines than one of having suf­fi­ci­ent resour­ces to allow data pro­tec­tion bodies to do some agen­da set­ting rather than being rele­ga­ted to respon­ding to inter­nal requests). Pri­va­cy cont­acts have been iden­ti­fi­ed in units, e.g., mar­ke­ting, HR, and IT, and busi­ness lea­ders have been briefed on legal risks, espe­ci­al­ly inclu­ding cri­mi­nal risks on the front lines as well as in exe­cu­ti­ve and management.

The legal risks here are both ove­resti­ma­ted and unde­re­sti­ma­ted – unde­re­sti­ma­ted by com­pa­nies that still per­cei­ve data pro­tec­tion as an impo­si­ti­on and fur­ther woke rest­ric­tions on legi­ti­ma­te pro­fit-making and are unwil­ling to invest in more than a pri­va­cy state­ment, and ove­resti­ma­ted by com­pa­nies that fear even negli­gence could lead to penalties.

Over­all, howe­ver, the risks under cri­mi­nal law are likely to be ove­resti­ma­ted. For exam­p­le, it is hard­ly pos­si­ble to invol­ve a pro­ces­sor wit­hout ful­fil­ling the mini­mum requi­re­ments under Artic­le 9 (1) and (2) DPA, which are punis­ha­ble by law. To a lar­ge ext­ent, they alre­a­dy ari­se as an ancil­la­ry obli­ga­ti­on under man­da­to­ry law from any rela­ti­on­ship simi­lar to a con­tract, at least from a cri­mi­nal law per­spec­ti­ve that does not allow for over­ly broad inter­pre­ta­ti­ons or ana­lo­gies. With regard to data secu­ri­ty, we have alre­a­dy explai­nedthat and why the­re are no justi­cia­ble mini­mum requi­re­ments for data secu­ri­ty in the DSV when view­ed cor­rect­ly. And with regard to the trans­fer abroad, pen­al­ties are conceiva­ble if, for exam­p­le, stan­dard con­trac­tu­al clau­ses are for­got­ten, but, for exam­p­le, the omis­si­on of a Trans­fer Impact Assess­ment (TIA) can­not in its­elf lead to cri­mi­nal liability.

The grea­test risks cer­tain­ly exist in con­nec­tion with the duty to inform and the right to infor­ma­ti­on. In the case of the duty to inform, howe­ver, the preli­mi­na­ry que­sti­on would ari­se as to whe­ther the­re is a pro­cu­re­ment of per­so­nal data at all (becau­se not every occur­rence of data is a pro­cu­re­ment) and whe­ther a gap in the data pro­tec­tion decla­ra­ti­on real­ly is such a gap, becau­se infor­ma­ti­on only has to be pro­vi­ded about tho­se pur­po­ses and dis­clo­sures that are at least fore­seeable, if not plan­ned, at the time of pro­cu­re­ment. And in gene­ral, the que­sti­on ari­ses as to how detail­ed infor­ma­ti­on must be in a data pri­va­cy state­ment. In view of the more exten­si­ve right to infor­ma­ti­on in the con­text of the right to infor­ma­ti­on, one can cer­tain­ly not expect exhaus­ti­ve details, even if many com­pa­nies use detail­ed data pro­tec­tion decla­ra­ti­ons for rea­sons of pru­dence and reputation.

How acti­ve law enforce­ment agen­ci­es will be remains to be seen any­way – but if one thinks of the enforce­ment prac­ti­ce in the area of the Unfair Com­pe­ti­ti­on Act and espe­ci­al­ly of the ban on spam (we know about non-adop­ti­on orders with some­ti­mes adven­tur­ous justi­fi­ca­ti­ons), no acti­vism is to be expected.

The FDPIC is also not expec­ted to enga­ge in broad inve­sti­ga­ti­ve acti­vi­ties. Alt­hough it will be under a cer­tain pres­su­re to suc­ce­ed and to make use of its exten­ded com­pe­ten­ces, it is likely to impo­se restraint due to poli­ti­cal con­side­ra­ti­ons, due to its self-image (“not a regu­la­tor”) and due to a shorta­ge of resources.

Com­pa­nies will con­ti­n­ue to be busy with imple­men­ta­ti­on work after Sep­tem­ber 1, on the one hand with the obvious requi­re­ments for the duty to inform, but also with inter­nal orga­nizati­on and the usu­al long-tail tasks such as the sto­rage and dele­ti­on of per­so­nal data. A cer­tain amount of addi­tio­nal work will also remain, e.g., in col­la­bo­ra­ti­on with ser­vice pro­vi­ders and part­ners, whe­re data pro­tec­tion con­tracts and cor­re­spon­ding nego­tia­ti­ons have increased.

On balan­ce, howe­ver, the impact of the new DPA on cor­po­ra­te prac­ti­ce is likely to remain mana­geable. Even the repre­sen­ta­ti­ves of the data pro­tec­tion bubble know that data pro­tec­tion law is not the only regu­la­ti­on that com­pa­nies have to deal with. Apart from sec­tor-spe­ci­fic regu­la­ti­ons, depen­ding on the indu­stry, com­pa­nies may have to com­ply with anti­trust law, anti-cor­rup­ti­on law, money laun­de­ring law, etc., and a one-sided focus on data pro­tec­tion law would only lead to other obli­ga­ti­ons and risks being neglec­ted – some­thing that the data pro­tec­tion aut­ho­ri­ties are pro­ba­b­ly also awa­re of.

Has the revi­si­on been suc­cessful? Yes and no. The new DPA is the result of a long poli­ti­cal tug-of-war. This has advan­ta­ges and dis­ad­van­ta­ges – on the one hand, the DSG is less gover­nor-like than the GDPR. On the other hand, many tech­ni­cal errors in the DSG and the DSV will con­ti­n­ue to lead to legal uncer­tain­ty. It also does not con­tri­bu­te to the accep­tance of data pro­tec­tion law that punis­ha­bi­li­ty is indi­vi­dua­li­zed and the sel­ec­tion of obli­ga­ti­ons sub­ject to punish­ment seems arbi­tra­ry (why should it be punis­ha­ble to trans­fer per­so­nal data to third count­ries wit­hout stan­dard con­trac­tu­al clau­ses, but not to report a data pro­tec­tion impact assess­ment or data breach noti­fi­ca­ti­on?), or that a con­si­stent approach to legal risk assess­ment is miss­ing. After all: This gives com­pa­nies the free­dom they always demand when imple­men­ting data pro­tec­tion law.

What data pro­tec­tion law can­not chan­ge: The fur­ther deve­lo­p­ment of tech­no­lo­gy and its pene­tra­ti­on of even the smal­lest rami­fi­ca­ti­ons of ever­y­day life. It will not be pos­si­ble to escape gene­ra­ti­ve AI even if one wan­ted to, and the­re would be good rea­sons to do so (no oppor­tu­ni­ty to out­sour­ce thin­king ever went unu­sed). What effects this will have is dif­fi­cult to fore­see, and this is not the place to spe­cu­la­te. But one con­side­ra­ti­on sug­gests its­elf: Means, deployed, work back; what you own, you own. An AI that claims to be human-like is not only human-like AI, but also blue­prints for human beha­vi­or, just as other enab­ling tech­no­lo­gies have been – the Inter­net is not only a place of free­dom, but can replace know­ledge with infor­ma­ti­on and thin­king with Goog­ling. It is the­r­e­fo­re not only pos­si­ble, but likely, that soo­ner or later an AI will no lon­ger be seen as a defi­ci­ent human, but humans will be seen as defi­ci­ent AIs. We will deal, for exam­p­le, with the que­sti­on of whe­ther the­re is real­ly a need for a right to be heard by humans in the case of auto­ma­ted indi­vi­du­al decis­i­ons, or rather a right to be heard by machi­nes in the case of human decisions.

Howe­ver, data pro­tec­tion law is hard­ly in a posi­ti­on to take up such que­sti­ons if it is not to beco­me even more the “Law of Ever­ything. More than phi­lo­so­phi­cal que­sti­ons, it requi­res craft­sman­ship, a con­stant preoc­cu­pa­ti­on with data pro­ce­s­sing in the machi­ne room of com­pa­nies, so to speak, and a chan­ge in under­stan­ding away from the neces­sa­ry evil to a tho­rough­ly sen­si­ble frame­work for a digi­ti­zed world.

In this sen­se – out with the old, in with the new! We will con­ti­n­ue to lovin­g­ly accom­pa­ny data pro­tec­tion law at this point.




Rela­ted articles