The State Policy Committee of the Council of States (SPK-SR) has Consultation on the bill for a new data protection law completed. It unanimously approved the bill in the overall vote and referred it to its Council, which can thus discuss it in the winter session (December 2 – 20, 2019). The corresponding Flags for the attention of the Council of States were published on November 28, 2019.
In essence, the SPK-SR followed the proposals of the National Council, but in some points tightening or easing is provided. The SPK-SR has spoken out in favor of the following adjustments (majority proposals; minority proposals are not taken into account):
- Profiling with high riskThe SPK-SR wants to explicitly include this term in the law and understands it to mean profiling that entails a high risk for the personality or the fundamental rights of the person concerned, namely
- in the systematic linking of certain characteristics of a person that affect different areas of a natural person’s life; and
- in the case of systematic and extensive processing of data in order to draw conclusions about various areas of a person’s life;
- Data security breachAn infringement should only exist if it leads to the unintentional or unlawful loss, deletion, destruction or alteration of personal data or if it is disclosed or made accessible to unauthorized persons. The Federal Council wanted to establish an infringement in every case in which personal data is processed in the manner described, i.e. regardless of the intention or unlawfulness.
- Consent: Consent to profiling should only be required explicitly in the case of high-risk profiling. According to the proposal, no express consent is required for profiling without high risk that is carried out by a private person, whereas express consent is required for all profiling in the case of corresponding processing by federal bodies.
- Duty to informThe minimum content of the duty to provide information should be expanded to include a list of the rights of the data subjects and any intention to use persons for credit checks. Furthermore, a disproportionate effort should not justify an exception or a restriction of the duty to provide information. In addition, a restriction shall only be permissible if overriding interests of the responsible party require such a measure and – cumulatively – the personal data is not disclosed to third parties, subject to a newly introduced group privilege.
- Access rightWith regard to the information within the scope of the right of access, the SPK-SR follows the Federal Council and drops the proposal of the National Council, according to which only the information that the data subject needs to assert his or her data subject rights is to be disclosed. Likewise, any credit checks would have to be disclosed. Analogous to the restrictions on the duty to inform, the right to information should also only be possible if no data is disclosed to third parties, subject to a newly introduced group privilege.
- Group privilegeThe proposal of the SPK-SR contains an innovation with regard to a group privilege, which is to be applied in the following situation:
- Data subject rightsA restriction should only be possible for both the duty to provide information and the right to information if personal data is not disclosed to third parties. However, data flows between companies controlled by the same legal entity are exempt from this, i.e. in this case a restriction is permissible.
- Justification: An overriding private interest in connection with data processing to strengthen the competitive position should only be considered a justification if the data is not disclosed to third parties. At least, data flows within the group are exempt from this, i.e. in this case the overriding interest as a justification ground applies.
- Tightening of violations of personality rights and grounds for justificationThe SPK-SR now wants to assume that every case in which personal data is disclosed to third parties constitutes a violation of privacy that requires a justification. Systematically listed below the grounds for justification, however, disclosure to third parties should only take place with the express consent of the person concerned. Should this proposal actually find a majority in the small chamber, this would indirectly mean the introduction of the requirement of a legal basis for disclosures, which would amount to a massive tightening. Accordingly, disclosure to third parties outside the group would only be possible if the data subject has expressly consented to disclosure.
- Violation of safety obligationsContrary to the proposal of the National Council and in accordance with the original proposal of the Federal Council, it should be possible to sanction a breach of the minimum data security requirements.
As a result, the introduction of the de facto group privilege and the associated massive tightening with regard to data disclosures to third parties appear to be the most significant innovation. It remains to be seen whether, and if so, to what extent the small chamber will actually follow these proposals.