The State Policy Commission (SPK‑N) has continued the deliberations on the DPA draft revision of the Federal Council concluded. The Flag contains deviations from the Federal Council’s draft in various points, namely the following amendments (including minority motions):
- Spatial scope (Art. 2a e‑DSG): The Commission wants to extend the territorial scope of application of the DPA to all processing matters that have an impact in Switzerland. According to the proposal, foreign companies that initiate processing activities in Switzerland should be subject to the DPA and in this context also have to appoint a representative in Switzerland (Art. 12a DPA). In its present form, however, the provision gives rise to difficulties of interpretation; for example, it is not evident what is meant by the connecting factor “effect”. While the requirements for the appointment of a representative are similar to those of the GDPR, the same criteria do not apply with regard to the geographical scope of application.
- Processing directories (Art. 11 E‑DSG)The draft bill of the Federal Council provides for the obligation of the controller (and the processor) to keep processing records and also establishes an obligation to notify the FDPIC for federal bodies. There is a minority motion on this (Minority I), which goes further and wants a general reporting obligation to be enshrined in law. There are also differing Commission proposals with regard to the exemption provision, according to which processors should be exempt from the documentation obligation if they employ fewer than 50 employees and the processing in question involves only a “low risk”. The Commission majority demands an exemption for companies with up to 500 employees in any case, i.e. without any risk assessment, the minority proposal (Minority I) follows the Federal Council with regard to the employee threshold and otherwise supports the proposal of the majority (no risk assessment).
- Personality Violations/Consent: Questions regarding the existence of a violation of privacy with regard to personal data requiring special protection and profiling as well as questions regarding the requirements for consent are disputed. The following positions are held:
- The Commission majority follows the Federal Council, according to which there is a violation of privacy if particularly sensitive data is disclosed to third parties. If consent is used as a justification, this must be explicit.
- A minority motion (Minority II) adds processing for direct advertising purposes to the facts of the case. Consent must be explicit for all processing of particularly sensitive personal data and for profiling, which means that the Federal Council is followed on this point.
- Another minority motion (Minority IV) wants – only – to establish a violation of privacy for all disclosures, but regardless of the type of data, but requires explicit consent both for disclosures and for the processing of particularly sensitive personal data.
- Other motions follow the Federal Council as far as the offense of violation of privacy is concerned (disclosure of personal data requiring special protection), but additionally demand expressiveness for high-risk profiling (Minority I) or for any processing that requires consent (Minority III).
- Data subject rights (Art. 23 f. E‑DSG): The structure of the rights of the data subjects is also controversial:
- Right to data issuance and portability: The Commission majority has newly included this right in the draft. In this context, the admissibility of such data disclosures would have to be clarified in particular, with regard to which the data processors are subject to certain legal barriers (e.g. in the social security sector).
- Right to Information: The majority of the Commission is in favor of a limited right of access for data subjects and wants to limit this “exclusively” to information that is necessary for data subjects to be able to assert their rights under this Act, whereby “the personal data as such” (Art. 23(2)(b) E‑DSG) and in particular without details of any data recipients must be stated. The minorities basically follow the Federal Council’s draft. The Commission majority also demands an expansion of the catalog of exceptions, whereby an overriding interest of the controller should be sufficient for a denial of the right to information (even if the data is disclosed to third parties) and is not applicable if the exercise is for purposes contrary to data protection.
- Duty to inform: The data controller only has to inform the data subject “adequately” about the acquisition of personal data.
- Penalty provisions (Art. 54 ff. E‑DSG): The Federal Council’s draft intends to make a breach of the duty of care punishable in the future, which is supported as far as it goes. However, two minority motions each call for an increase in the proposed range of fines. One motion (Minority I) demands a fine of up to CHF 20,000,000 or up to 4% of the worldwide annual turnover of the preceding business year. A second minority proposal (Minority II) calls for an increase to CHF 500,000. As before, the individual natural persons are to be punished (Art. 29 StGB); in particular, the Minority motion I will hardly be enforceable against this background.
- Further adjustmentsWith regard to the performance of a data protection impact assessment, the Commission draft relaxes the consultation obligation and restricts this to cases of residual risks remaining despite measures taken. A minority also requires a repetition of the data protection impact assessment in the event of changes in risk, but at the latest every 5 years. Furthermore, it is intended to make it easier for data controllers to check creditworthiness by allowing profiling in this context. The majority of the Commission is also in favor of a statutory regulation regarding the transitional provisions, according to which the law should enter into force a total of 2 years after the expiry of the unused referendum period or after its adoption in a referendum. The majority of the Commission follows the Federal Council’s draft insofar as a further two-year adjustment period is granted to those responsible. Finally, reference should be made to various proposals regarding the amendment and supplementation of existing decrees, which are also to be implemented with the implementation of the e‑DSG.