Schwaab parliamentary initiative (14.404): For truly deterrent sanctions for data protection violations
No follow-up given (17.03.2015)
Based on Article 160 paragraph 1 of the Federal Constitution and on Article 107 of the Parliamentary Act, I submit the following parliamentary initiative:
The Data Protection Act is amended as follows:
1 The Federal Data Protection and Information Commissioner (FDPIC) is empowered to issue effective, proportionate and dissuasive administrative sanctions in the event of a breach of provisions of federal data protection law. The law regulates the procedure and the right of appeal.
2. the amount of the administrative fine shall be determined taking into account the nature, gravity and duration of the violation and depending on whether a violation was committed intentionally or negligently. If the violation is committed by a legal entity carrying out a profit-making activity, the fine may be up to 10 percent of the turnover in particularly serious cases.
Gross violations of data protection are occurring more and more frequently. New technologies and social networks make it much easier to process data on a large scale. Creating detailed personality profiles is easy. Cloud computing encourages the storage of data abroad, often without any possibility of control. With a simple click, the data of hundreds of thousands of individuals can be stolen, falsified, or used for unintended purposes, and usually without the individuals concerned realizing it. They can hardly prevent the misuse of their personal data, since the general terms and conditions on most websites where data is collected or processed are formulated in a correspondingly one-sidedly advantageous manner.
When individuals and companies try to defend themselves, they have to expect lengthy and costly proceedings, and the outcome is rarely satisfactory. The FDPIC is only empowered to make recommendations. However, these rarely seem to deter companies, often multinational Internet companies that control a growing amount of personal data. There is therefore an urgent need to give the FDPIC sanctioning power.
For the sanctions to be truly deterrent, the fines must take into account the enormous financial strength of the multinationals involved. For example, the fines of 150,000 euros and 900,000 euros imposed on Google by the French and Spanish data protection authorities, respectively, for repeated data protection violations have drawn the ridicule of the European Commission. Commissioner Viviane Reding has described these amounts as “pocket money fines.” In response, she has expressed a firm intention to raise the level of sanctions in this area to more than 2 percent of the global turnover of the companies concerned. In the U.S., the American authorities (FTC) fined Google $22.5 million in 2012 for privacy violations.
Switzerland needs effective data protection that is commensurate with the current challenges. Modern legislation undoubtedly includes truly deterrent sanctions.
Report of the State Policy Commission of October 31, 2014: