Anyone who thought that parliamentary approval had finally paved the way for the revised Data Protection Act to come into force was wrong. The preliminary draft of the Data Protection Ordinance (DPA), which was submitted for consultation at the end of June after a long run-up, overshoots the mark to such an extent that the consultation process will be highly critical. The road to entry into force seems as long as ever. Hardly anyone still believes that it will come into force before the beginning of 2023.
It’s déjà vu: an impractical draft regulation that meets with widespread rejection among companies. It’s a bit like Bill Murray reliving the same day over and over again in the movie “Groundhog Day. In the film, he finally escapes the time loop by practicing humility and doing good. One would also like to call on the Federal Council (or the responsible Federal Office of Justice) to remember old virtues when revising the draft ordinance:
- Restraint and compliance with the lawThe data protection ordinance should only regulate those points for which the revised Data Protection Act effectively provides for implementing regulations at ordinance level: The minimum requirements for data security, the obligation to maintain a processing directory, the modalities of the right to information, as well as individual other points (many of which, however, only concern data processing by federal bodies). If, for example, the preliminary draft suddenly wants to impose an obligation on the processor to provide information (Art. 13 VE-VDSG), this simply has no basis in the law.
- Sense of reality: The regulation should only require companies to do what they can realistically do. And not only the large financially strong corporations, but also the many medium-sized companies. The proposed regulations on data security (Art. 2 VE-VDSG), for example, are not minimum requirements, as Art. 8 para. 3 revDSG actually demands. Rather, it is a broad bouquet of ambitious protection goals that are to be “achieved”. Which would be okay if their violation was not punishable by law. But it is. This shows little awareness of how difficult it is, given today’s cyber risks, to meet all these protection goals at all times. Here, a look at the GDPR would be worthwhile: Art. 32 GDPR contains reasonable regulations on data security that could be adopted almost tel quel.
- The courage to let goRegulations in the current ordinance do not need to be updated if they are outdated: For example, the processing regulations (Art. 4 VE-DPA). The revised Data Protection Act adopts all of the extensive documentation requirements of the GDPR – from the processing directory to the data protection impact assessment. Requiring Swiss companies to additionally comply with any Helvetic regulations is nonsensical. Companies in Switzerland should not have to keep more documentation than companies in the EEA. Time to let go of Swiss idiosyncrasies.
The draft regulation puts together a regulatory package that in many places goes even further than the requirements of the GDPR. It ignores the fact that it was the declared intention of the legislator to avoid such “Swiss finishes”. And generously overlooks the fact that the provisions of the regulation actually require a legal basis. This must now be corrected. The draft ordinance is a missed opportunity. At the same time, however, it is also an opportunity to do better in the second attempt.
Matthias Glatthaar is Head of Data Protection and Data Protection Officer at the Federation of Migros Cooperatives. He gives his personal opinion.