SPK‑N: Results of the preli­mi­na­ry consultations

The Sta­te Poli­cy Com­mis­si­on (SPK‑N) has con­tin­ued the deli­be­ra­ti­ons on the DPA draft revi­si­on of the Fede­ral Coun­cil con­clu­ded. The Flag con­ta­ins devia­ti­ons from the Fede­ral Council’s draft in various points, name­ly the fol­lo­wing amend­ments (inclu­ding mino­ri­ty motions):

• Spa­ti­al scope (Art. 2a e‑DSG): The Com­mis­si­on wants to extend the ter­ri­to­ri­al scope of appli­ca­ti­on of the DPA to all pro­ce­s­sing mat­ters that have an impact in Switz­er­land. Accor­ding to the pro­po­sal, for­eign com­pa­nies that initia­te pro­ce­s­sing acti­vi­ties in Switz­er­land should be sub­ject to the DPA and in this con­text also have to appoint a repre­sen­ta­ti­ve in Switz­er­land (Art. 12a DPA). In its pre­sent form, howe­ver, the pro­vi­si­on gives rise to dif­fi­cul­ties of inter­pre­ta­ti­on; for exam­p­le, it is not evi­dent what is meant by the con­nec­ting fac­tor “effect”. While the requi­re­ments for the appoint­ment of a repre­sen­ta­ti­ve are simi­lar to tho­se of the GDPR, the same cri­te­ria do not app­ly with regard to the geo­gra­phi­cal scope of application.
• Pro­ce­s­sing direc­to­ries (Art. 11 E‑DSG)The draft bill of the Fede­ral Coun­cil pro­vi­des for the obli­ga­ti­on of the con­trol­ler (and the pro­ces­sor) to keep pro­ce­s­sing records and also estab­lishes an obli­ga­ti­on to noti­fy the FDPIC for fede­ral bodies. The­re is a mino­ri­ty moti­on on this (Mino­ri­ty I), which goes fur­ther and wants a gene­ral report­ing obli­ga­ti­on to be enshri­ned in law. The­re are also dif­fe­ring Com­mis­si­on pro­po­sals with regard to the exemp­ti­on pro­vi­si­on, accor­ding to which pro­ces­sors should be exempt from the docu­men­ta­ti­on obli­ga­ti­on if they employ fewer than 50 employees and the pro­ce­s­sing in que­sti­on invol­ves only a “low risk”. The Com­mis­si­on majo­ri­ty demands an exemp­ti­on for com­pa­nies with up to 500 employees in any case, i.e. wit­hout any risk assess­ment, the mino­ri­ty pro­po­sal (Mino­ri­ty I) fol­lows the Fede­ral Coun­cil with regard to the employee thres­hold and other­wi­se sup­ports the pro­po­sal of the majo­ri­ty (no risk assessment).
• Per­so­na­li­ty Violations/Consent: Que­sti­ons regar­ding the exi­stence of a vio­la­ti­on of pri­va­cy with regard to per­so­nal data requi­ring spe­cial pro­tec­tion and pro­fil­ing as well as que­sti­ons regar­ding the requi­re­ments for con­sent are dis­pu­ted. The fol­lo­wing posi­ti­ons are held: 
  • The Com­mis­si­on majo­ri­ty fol­lows the Fede­ral Coun­cil, accor­ding to which the­re is a vio­la­ti­on of pri­va­cy if par­ti­cu­lar­ly sen­si­ti­ve data is dis­c­lo­sed to third par­ties. If con­sent is used as a justi­fi­ca­ti­on, this must be explicit.
  • A mino­ri­ty moti­on (Mino­ri­ty II) adds pro­ce­s­sing for direct adver­ti­sing pur­po­ses to the facts of the case. Con­sent must be expli­cit for all pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data and for pro­fil­ing, which means that the Fede­ral Coun­cil is fol­lo­wed on this point.
  • Ano­ther mino­ri­ty moti­on (Mino­ri­ty IV) wants – only – to estab­lish a vio­la­ti­on of pri­va­cy for all dis­clo­sures, but regard­less of the type of data, but requi­res expli­cit con­sent both for dis­clo­sures and for the pro­ce­s­sing of par­ti­cu­lar­ly sen­si­ti­ve per­so­nal data.
  • Other moti­ons fol­low the Fede­ral Coun­cil as far as the offen­se of vio­la­ti­on of pri­va­cy is con­cer­ned (dis­clo­sure of per­so­nal data requi­ring spe­cial pro­tec­tion), but addi­tio­nal­ly demand expres­si­ve­ness for high-risk pro­fil­ing (Mino­ri­ty I) or for any pro­ce­s­sing that requi­res con­sent (Mino­ri­ty III).
• Data sub­ject rights (Art. 23 f. E‑DSG): The struc­tu­re of the rights of the data sub­jects is also con­tro­ver­si­al:
  1. Right to data issu­an­ce and por­ta­bi­li­ty: The Com­mis­si­on majo­ri­ty has new­ly inclu­ded this right in the draft. In this con­text, the admis­si­bi­li­ty of such data dis­clo­sures would have to be cla­ri­fi­ed in par­ti­cu­lar, with regard to which the data pro­ces­sors are sub­ject to cer­tain legal bar­riers (e.g. in the social secu­ri­ty sector).
  2. Right to Infor­ma­ti­on: The majo­ri­ty of the Com­mis­si­on is in favor of a limi­t­ed right of access for data sub­jects and wants to limit this “exclu­si­ve­ly” to infor­ma­ti­on that is neces­sa­ry for data sub­jects to be able to assert their rights under this Act, wher­eby “the per­so­nal data as such” (Art. 23(2)(b) E‑DSG) and in par­ti­cu­lar wit­hout details of any data reci­pi­en­ts must be sta­ted. The mino­ri­ties basi­cal­ly fol­low the Fede­ral Council’s draft. The Com­mis­si­on majo­ri­ty also demands an expan­si­on of the cata­log of excep­ti­ons, wher­eby an over­ri­ding inte­rest of the con­trol­ler should be suf­fi­ci­ent for a deni­al of the right to infor­ma­ti­on (even if the data is dis­c­lo­sed to third par­ties) and is not appli­ca­ble if the exer­cise is for pur­po­ses con­tra­ry to data protection.
  3. Duty to inform: The data con­trol­ler only has to inform the data sub­ject “ade­qua­te­ly” about the acqui­si­ti­on of per­so­nal data.
• Penal­ty pro­vi­si­ons (Art. 54 ff. E‑DSG): The Fede­ral Council’s draft intends to make a breach of the duty of care punis­ha­ble in the future, which is sup­port­ed as far as it goes. Howe­ver, two mino­ri­ty moti­ons each call for an increa­se in the pro­po­sed ran­ge of fines. One moti­on (Mino­ri­ty I) demands a fine of up to CHF 20,000,000 or up to 4% of the world­wi­de annu­al tur­no­ver of the pre­ce­ding busi­ness year. A second mino­ri­ty pro­po­sal (Mino­ri­ty II) calls for an increa­se to CHF 500,000. As befo­re, the indi­vi­du­al natu­ral per­sons are to be punis­hed (Art. 29 StGB); in par­ti­cu­lar, the Mino­ri­ty moti­on I will hard­ly be enforceable against this background.
• Fur­ther adjust­mentsWith regard to the per­for­mance of a data pro­tec­tion impact assess­ment, the Com­mis­si­on draft rela­xes the con­sul­ta­ti­on obli­ga­ti­on and rest­ricts this to cases of resi­du­al risks remai­ning despi­te mea­su­res taken. A mino­ri­ty also requi­res a repe­ti­ti­on of the data pro­tec­tion impact assess­ment in the event of chan­ges in risk, but at the latest every 5 years. Fur­ther­mo­re, it is inten­ded to make it easier for data con­trol­lers to check cre­dit­wort­hi­ness by allo­wing pro­fil­ing in this con­text. The majo­ri­ty of the Com­mis­si­on is also in favor of a sta­tu­to­ry regu­la­ti­on regar­ding the tran­si­tio­nal pro­vi­si­ons, accor­ding to which the law should enter into force a total of 2 years after the expiry of the unu­sed refe­ren­dum peri­od or after its adop­ti­on in a refe­ren­dum. The majo­ri­ty of the Com­mis­si­on fol­lows the Fede­ral Council’s draft inso­far as a fur­ther two-year adjust­ment peri­od is gran­ted to tho­se respon­si­ble. Final­ly, refe­rence should be made to various pro­po­sals regar­ding the amend­ment and sup­ple­men­ta­ti­on of exi­sting decrees, which are also to be imple­men­ted with the imple­men­ta­ti­on of the e‑DSG.