The Federal Council has decided on the Interpellation Fiala (17.4088) on implementation issues relating to the EU General Data Protection Regulation commented as follows on March 2, 2018:
[Question Fiala: Will the EU continue to recognize the equivalence of Swiss data protection legislation?]1. maintaining the EU adequacy decision is a priority objective for the Federal Council. For this reason in particular, it has decided to align the content of the e‑DSG with the requirements of the draft revision of Convention ETS 108 and the GDPR. It is not possible to predict today when the European Commission will review the adequacy of Swiss data protection law again and whether the result will be positive. In order for Switzerland to maintain the existing adequacy declaration, it must have a comparable level of protection as the EU. The outcome of the review depends to a large extent on the decisions of Parliament in the context of the revision of Swiss data protection legislation.
Since the SPK‑N has decided to split the bill and discuss it in two stages (cf. Section 9 below), delays are likely. If the European Commission concludes during its next review of Swiss data protection law that it no longer ensures an adequate level of protection – because the DPA has not yet been revised – it may revoke, amend or suspend the adequacy decision. This would have adverse consequences for the Swiss economy and SMEs in particular. Personal data from the EU could no longer be transferred to Switzerland without further ado, but additional safeguarding measures would have to be taken. For example, Swiss companies would have to contractually commit to maintaining the European level of data protection vis-à-vis companies from the EU.
[Question FialaWho is the contact for Swiss companies (e.g. for notification obligations) regarding the GDPR and the e‑DSG? Is this the FDPIC, a body in the EU or even both?]2. each authority will apply its own law. If the data controller considers that it is subject to both the DPA and the GDPR, he will contact the FDPIC and the competent foreign supervisory authority.
[Question FialaAre investigations and any sanctions against Swiss companies carried out by a Swiss agency? How and by whom?]3. the investigation and imposition of sanctions against a company based in Switzerland but subject to the GDPR fall within the competence of the supervisory authorities of the EU member states. However, without a cooperation agreement, they cannot themselves carry out investigative actions in Switzerland. If a company must appoint a representative in the EU (Art. 27 GDPR), the European supervisory authorities can serve their decisions on the Swiss company through this representative without going through the diplomatic channel.
[Question FialaCan companies be sanctioned by both Switzerland and the EU for the same case?]4 This possibility cannot be ruled out. However, the ne bis in idem principle (prohibition of double jeopardy) could apply if EU fines and criminal sanctions imposed by Swiss law enforcement authorities coincide.
[Question Fiala: Can companies be sanctioned by the EU or its member states even though they comply with Swiss law? No,]5. yes, if they are subject to the GDPR and violate its provisions.
[Question Fiala: Are Swiss certifications and certification bodies recognized by the EU?]6 The GDPR does not provide for a procedure for the recognition of Swiss certifications and certification bodies by the EU.
[Question Fiala: Is Switzerland involved in the development of standards?]7 The GDPR does not contain any provision that would provide for such participation by Switzerland. However, it is not excluded that Swiss companies could be involved, e.g. in the context of the development of codes of conduct.
[Question FialaThe GDPR refers in many places to the law of the member states. What role does Swiss law play in this?]8 Switzerland is not a Member State within the meaning of the GDPR. This applies irrespective of the fact that this legal act may apply directly to Swiss companies pursuant to its Article 3(2). The references to the law of the Member States do not include Swiss law, which consequently has no role to play..
[Question FialaThese questions show that there is a great need for coordination even before the revision of the DPA is discussed in parliament. Therefore, the Federal Council was instructed by the referred motion 16.3752 to seek a corresponding agreement with the EU. According to the answer to my question 17.5528 during question time on December 4, the Federal Council stated that it did not want to contact the European Commission before the parliamentary discussion. However, the above-mentioned questions will already arise for many Swiss companies in May 2018. Moreover, these implementation questions are also very valuable, especially for the consultation of the Swiss DPA. What steps does the Federal Council intend to take in order to regulate this need for coordination as quickly as possible under state treaty law?]9. the conclusion of a Cooperation Agreement between Switzerland and the EU will probably take several years. The chances of success will depend on whether Switzerland can demonstrate that its data protection legislation ensures an adequate level of protection within the meaning of the GDPR. Therefore, the Federal Council has deemed it appropriate to await the start of parliamentary work. A first contact with the European Commission was scheduled for the beginning of 2018. In view of the decision of the National Council’s State Policy Committee of 11 January 2018 to prioritize the legislative measures necessary for the implementation of the Schengen acquis and to carry out the examination of the adjustments aimed at bringing Swiss data protection law into line with the requirements of the GDPR in a second stage, However, the Federal Council intends to wait with this step for the time being.