State­ment by the Federal Coun­cil on the Fia­la inter­pel­la­ti­on (17.4088): Imple­men­ta­ti­on issu­es rela­ting to the EU Gene­ral Data Pro­tec­tion Regulation

The Federal Coun­cil has deci­ded on the Inter­pel­la­ti­on Fia­la (17.4088) on imple­men­ta­ti­on issu­es rela­ting to the EU Gene­ral Data Pro­tec­tion Regu­la­ti­on com­men­ted as fol­lows on March 2, 2018:

[Que­sti­on Fia­la: Will the EU con­ti­nue to reco­gni­ze the equi­va­lence of Swiss data pro­tec­tion legis­la­ti­on?]

1. main­tai­ning the EU ade­quacy deci­si­on is a prio­ri­ty objec­ti­ve for the Federal Coun­cil. For this rea­son in par­ti­cu­lar, it has deci­ded to align the con­tent of the e‑DSG with the requi­re­ments of the draft revi­si­on of Con­ven­ti­on ETS 108 and the GDPR. It is not pos­si­ble to pre­dict today when the Euro­pean Com­mis­si­on will review the ade­quacy of Swiss data pro­tec­tion law again and whe­ther the result will be posi­ti­ve. In order for Switz­er­land to main­tain the exi­sting ade­quacy decla­ra­ti­on, it must have a com­pa­ra­ble level of pro­tec­tion as the EU. The out­co­me of the review depends to a lar­ge extent on the deci­si­ons of Par­lia­ment in the con­text of the revi­si­on of Swiss data pro­tec­tion legislation.

Sin­ce the SPK‑N has deci­ded to split the bill and dis­cuss it in two sta­ges (cf. Sec­tion 9 below), delays are likely. If the Euro­pean Com­mis­si­on con­clu­des during its next review of Swiss data pro­tec­tion law that it no lon­ger ensu­res an ade­qua­te level of pro­tec­tion – becau­se the DPA has not yet been revi­sed – it may revo­ke, amend or sus­pend the ade­quacy deci­si­on. This would have adver­se con­se­quen­ces for the Swiss eco­no­my and SMEs in par­ti­cu­lar. Per­so­nal data from the EU could no lon­ger be trans­fer­red to Switz­er­land without fur­ther ado, but addi­tio­nal safe­guar­ding mea­su­res would have to be taken. For examp­le, Swiss com­pa­nies would have to con­trac­tual­ly com­mit to main­tai­ning the Euro­pean level of data pro­tec­tion vis-à-vis com­pa­nies from the EU.

[Que­sti­on Fia­laWho is the con­ta­ct for Swiss com­pa­nies (e.g. for noti­fi­ca­ti­on obli­ga­ti­ons) regar­ding the GDPR and the e‑DSG? Is this the FDPIC, a body in the EU or even both?]

2. each aut­ho­ri­ty will app­ly its own law. If the data con­trol­ler con­si­ders that it is sub­ject to both the DPA and the GDPR, he will con­ta­ct the FDPIC and the com­pe­tent for­eign super­vi­so­ry aut­ho­ri­ty.

[Que­sti­on Fia­laAre inve­sti­ga­ti­ons and any sanc­tions against Swiss com­pa­nies car­ri­ed out by a Swiss agen­cy? How and by whom?]

3. the inve­sti­ga­ti­on and impo­si­ti­on of sanc­tions against a com­pa­ny based in Switz­er­land but sub­ject to the GDPR fall wit­hin the com­pe­tence of the super­vi­so­ry aut­ho­ri­ties of the EU mem­ber sta­tes. Howe­ver, without a coope­ra­ti­on agree­ment, they can­not them­sel­ves car­ry out inve­sti­ga­ti­ve actions in Switz­er­land. If a com­pa­ny must appoint a repre­sen­ta­ti­ve in the EU (Art. 27 GDPR), the Euro­pean super­vi­so­ry aut­ho­ri­ties can ser­ve their deci­si­ons on the Swiss com­pa­ny through this repre­sen­ta­ti­ve without going through the diplo­ma­tic chan­nel.

[Que­sti­on Fia­laCan com­pa­nies be sanc­tion­ed by both Switz­er­land and the EU for the same case?]

4 This pos­si­bi­li­ty can­not be ruled out. Howe­ver, the ne bis in idem princip­le (pro­hi­bi­ti­on of dou­ble jeo­par­dy) could app­ly if EU fines and cri­mi­nal sanc­tions impo­sed by Swiss law enfor­ce­ment aut­ho­ri­ties coincide.

[Que­sti­on Fia­la: Can com­pa­nies be sanc­tion­ed by the EU or its mem­ber sta­tes even though they com­ply with Swiss law? No,]

5. yes, if they are sub­ject to the GDPR and vio­la­te its provisions.

[Que­sti­on Fia­la: Are Swiss cer­ti­fi­ca­ti­ons and cer­ti­fi­ca­ti­on bodies reco­gni­zed by the EU?]

6 The GDPR does not pro­vi­de for a pro­ce­du­re for the reco­gni­ti­on of Swiss cer­ti­fi­ca­ti­ons and cer­ti­fi­ca­ti­on bodies by the EU.

[Que­sti­on Fia­la: Is Switz­er­land invol­ved in the deve­lo­p­ment of stan­dards?]

7 The GDPR does not con­tain any pro­vi­si­on that would pro­vi­de for such par­ti­ci­pa­ti­on by Switz­er­land. Howe­ver, it is not exclu­ded that Swiss com­pa­nies could be invol­ved, e.g. in the con­text of the deve­lo­p­ment of codes of conduct.

[Que­sti­on Fia­laThe GDPR refers in many places to the law of the mem­ber sta­tes. What role does Swiss law play in this?]

8 Switz­er­land is not a Mem­ber Sta­te wit­hin the mea­ning of the GDPR. This app­lies irre­spec­ti­ve of the fact that this legal act may app­ly direct­ly to Swiss com­pa­nies pur­suant to its Arti­cle 3(2). The refe­ren­ces to the law of the Mem­ber Sta­tes do not inclu­de Swiss law, which con­se­quent­ly has no role to play..

[Que­sti­on Fia­laThe­se que­sti­ons show that the­re is a gre­at need for coor­di­na­ti­on even befo­re the revi­si­on of the DPA is dis­cus­sed in par­lia­ment. The­re­fo­re, the Federal Coun­cil was inst­ruc­ted by the refer­red moti­on 16.3752 to seek a cor­re­spon­ding agree­ment with the EU. Accord­ing to the ans­wer to my que­sti­on 17.5528 during que­sti­on time on Decem­ber 4, the Federal Coun­cil sta­ted that it did not want to con­ta­ct the Euro­pean Com­mis­si­on befo­re the par­lia­men­ta­ry dis­cus­sion. Howe­ver, the abo­ve-men­tio­ned que­sti­ons will alrea­dy ari­se for many Swiss com­pa­nies in May 2018. Moreo­ver, the­se imple­men­ta­ti­on que­sti­ons are also very valu­able, espe­cial­ly for the con­sul­ta­ti­on of the Swiss DPA. What steps does the Federal Coun­cil intend to take in order to regu­la­te this need for coor­di­na­ti­on as quick­ly as pos­si­ble under sta­te trea­ty law?]

9. the con­clu­si­on of a Coope­ra­ti­on Agree­ment bet­ween Switz­er­land and the EU will pro­bab­ly take several years. The chan­ces of suc­cess will depend on whe­ther Switz­er­land can demon­stra­te that its data pro­tec­tion legis­la­ti­on ensu­res an ade­qua­te level of pro­tec­tion wit­hin the mea­ning of the GDPR. The­re­fo­re, the Federal Coun­cil has deemed it appro­pria­te to await the start of par­lia­men­ta­ry work. A first con­ta­ct with the Euro­pean Com­mis­si­on was sche­du­led for the begin­ning of 2018. In view of the deci­si­on of the Natio­nal Council’s Sta­te Poli­cy Com­mit­tee of 11 Janu­a­ry 2018 to prio­ri­ti­ze the legis­la­ti­ve mea­su­res necessa­ry for the imple­men­ta­ti­on of the Schen­gen acquis and to car­ry out the exami­na­ti­on of the adjust­ments aimed at brin­ging Swiss data pro­tec­tion law into line with the requi­re­ments of the GDPR in a second sta­ge, Howe­ver, the Federal Coun­cil intends to wait with this step for the time being.