Schwa­ab par­lia­men­ta­ry initia­ti­ve (14.404): For tru­ly deter­rent sanc­tions for data pro­tec­tion violations

Schwa­ab par­lia­men­ta­ry initia­ti­ve (14.404): For tru­ly deter­rent sanc­tions for data pro­tec­tion violations
No fol­low-up given (17.03.2015)

Sub­mit­ted text

Based on Artic­le 160 para­graph 1 of the Fede­ral Con­sti­tu­ti­on and on Artic­le 107 of the Par­lia­men­ta­ry Act, I sub­mit the fol­lo­wing par­lia­men­ta­ry initiative:

The Data Pro­tec­tion Act is amen­ded as follows:

1 The Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) is empowered to issue effec­ti­ve, pro­por­tio­na­te and dissua­si­ve admi­ni­stra­ti­ve sanc­tions in the event of a breach of pro­vi­si­ons of fede­ral data pro­tec­tion law. The law regu­la­tes the pro­ce­du­re and the right of appeal.

2. the amount of the admi­ni­stra­ti­ve fine shall be deter­mi­ned taking into account the natu­re, gra­vi­ty and dura­ti­on of the vio­la­ti­on and depen­ding on whe­ther a vio­la­ti­on was com­mit­ted inten­tio­nal­ly or negli­gent­ly. If the vio­la­ti­on is com­mit­ted by a legal enti­ty car­ry­ing out a pro­fit-making acti­vi­ty, the fine may be up to 10 per­cent of the tur­no­ver in par­ti­cu­lar­ly serious cases.

Justi­fi­ca­ti­on

Gross vio­la­ti­ons of data pro­tec­tion are occur­ring more and more fre­quent­ly. New tech­no­lo­gies and social net­works make it much easier to pro­cess data on a lar­ge sca­le. Crea­ting detail­ed per­so­na­li­ty pro­files is easy. Cloud com­pu­ting encou­ra­ges the sto­rage of data abroad, often wit­hout any pos­si­bi­li­ty of con­trol. With a simp­le click, the data of hundreds of thou­sands of indi­vi­du­als can be sto­len, fal­si­fi­ed, or used for unin­ten­ded pur­po­ses, and usual­ly wit­hout the indi­vi­du­als con­cer­ned rea­li­zing it. They can hard­ly pre­vent the misu­se of their per­so­nal data, sin­ce the gene­ral terms and con­di­ti­ons on most web­sites whe­re data is coll­ec­ted or pro­ce­s­sed are for­mu­la­ted in a cor­re­spon­din­gly one-sidedly advan­ta­ge­ous manner.

When indi­vi­du­als and com­pa­nies try to defend them­sel­ves, they have to expect leng­thy and cost­ly pro­ce­e­dings, and the out­co­me is rare­ly satis­fac­to­ry. The FDPIC is only empowered to make recom­men­da­ti­ons. Howe­ver, the­se rare­ly seem to deter com­pa­nies, often mul­ti­na­tio­nal Inter­net com­pa­nies that con­trol a gro­wing amount of per­so­nal data. The­re is the­r­e­fo­re an urgent need to give the FDPIC sanc­tio­ning power.

For the sanc­tions to be tru­ly deter­rent, the fines must take into account the enorm­ous finan­cial strength of the mul­ti­na­tio­nals invol­ved. For exam­p­le, the fines of 150,000 euros and 900,000 euros impo­sed on Goog­le by the French and Spa­nish data pro­tec­tion aut­ho­ri­ties, respec­tively, for repea­ted data pro­tec­tion vio­la­ti­ons have drawn the ridi­cu­le of the Euro­pean Com­mis­si­on. Com­mis­sio­ner Vivia­ne Reding has descri­bed the­se amounts as “pocket money fines.” In respon­se, she has expres­sed a firm inten­ti­on to rai­se the level of sanc­tions in this area to more than 2 per­cent of the glo­bal tur­no­ver of the com­pa­nies con­cer­ned. In the U.S., the Ame­ri­can aut­ho­ri­ties (FTC) fined Goog­le $22.5 mil­li­on in 2012 for pri­va­cy violations.

Switz­er­land needs effec­ti­ve data pro­tec­tion that is com­men­su­ra­te with the cur­rent chal­lenges. Modern legis­la­ti­on undoub­ted­ly inclu­des tru­ly deter­rent sanctions.

Report of the Sta­te Poli­cy Com­mis­si­on of Octo­ber 31, 2014:

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be