Ground­hog Day: Thoughts on the Preli­mi­na­ry Draft of the Data Pro­tec­tion Regulation

Anyo­ne who thought that par­lia­men­ta­ry appr­oval had final­ly paved the way for the revi­sed Data Pro­tec­tion Act to come into force was wrong. The preli­mi­na­ry draft of the Data Pro­tec­tion Ordi­nan­ce (DPA), which was sub­mit­ted for con­sul­ta­ti­on at the end of June after a long run-up, over­shoots the mark to such an ext­ent that the con­sul­ta­ti­on pro­cess will be high­ly cri­ti­cal. The road to ent­ry into force seems as long as ever. Hard­ly anyo­ne still belie­ves that it will come into force befo­re the begin­ning of 2023. 

It’s déjà vu: an imprac­ti­cal draft regu­la­ti­on that meets with wide­spread rejec­tion among com­pa­nies. It’s a bit like Bill Mur­ray reli­ving the same day over and over again in the movie “Ground­hog Day. In the film, he final­ly escapes the time loop by prac­ti­cing humi­li­ty and doing good. One would also like to call on the Fede­ral Coun­cil (or the respon­si­ble Fede­ral Office of Justi­ce) to remem­ber old vir­tu­es when revi­sing the draft ordinance:

  • Restraint and com­pli­ance with the lawThe data pro­tec­tion ordi­nan­ce should only regu­la­te tho­se points for which the revi­sed Data Pro­tec­tion Act effec­tively pro­vi­des for imple­men­ting regu­la­ti­ons at ordi­nan­ce level: The mini­mum requi­re­ments for data secu­ri­ty, the obli­ga­ti­on to main­tain a pro­ce­s­sing direc­to­ry, the moda­li­ties of the right to infor­ma­ti­on, as well as indi­vi­du­al other points (many of which, howe­ver, only con­cern data pro­ce­s­sing by fede­ral bodies). If, for exam­p­le, the preli­mi­na­ry draft sud­den­ly wants to impo­se an obli­ga­ti­on on the pro­ces­sor to pro­vi­de infor­ma­ti­on (Art. 13 VE-VDSG), this sim­ply has no basis in the law.
  • Sen­se of rea­li­ty: The regu­la­ti­on should only requi­re com­pa­nies to do what they can rea­li­sti­cal­ly do. And not only the lar­ge finan­ci­al­ly strong cor­po­ra­ti­ons, but also the many medi­um-sized com­pa­nies. The pro­po­sed regu­la­ti­ons on data secu­ri­ty (Art. 2 VE-VDSG), for exam­p­le, are not mini­mum requi­re­ments, as Art. 8 para. 3 revDSG actual­ly demands. Rather, it is a broad bou­quet of ambi­tious pro­tec­tion goals that are to be “achie­ved”. Which would be okay if their vio­la­ti­on was not punis­ha­ble by law. But it is. This shows litt­le awa­re­ness of how dif­fi­cult it is, given today’s cyber risks, to meet all the­se pro­tec­tion goals at all times. Here, a look at the GDPR would be wort­hwhile: Art. 32 GDPR con­ta­ins rea­sonable regu­la­ti­ons on data secu­ri­ty that could be adopted almost tel quel.
  • The cou­ra­ge to let goRegu­la­ti­ons in the cur­rent ordi­nan­ce do not need to be updated if they are out­da­ted: For exam­p­le, the pro­ce­s­sing regu­la­ti­ons (Art. 4 VE-DPA). The revi­sed Data Pro­tec­tion Act adopts all of the exten­si­ve docu­men­ta­ti­on requi­re­ments of the GDPR – from the pro­ce­s­sing direc­to­ry to the data pro­tec­tion impact assess­ment. Requi­ring Swiss com­pa­nies to addi­tio­nal­ly com­ply with any Hel­ve­tic regu­la­ti­ons is non­sen­si­cal. Com­pa­nies in Switz­er­land should not have to keep more docu­men­ta­ti­on than com­pa­nies in the EEA. Time to let go of Swiss idiosyncrasies.

The draft regu­la­ti­on puts tog­e­ther a regu­la­to­ry packa­ge that in many places goes even fur­ther than the requi­re­ments of the GDPR. It igno­res the fact that it was the declared inten­ti­on of the legis­la­tor to avo­id such “Swiss finis­hes”. And gene­rous­ly over­looks the fact that the pro­vi­si­ons of the regu­la­ti­on actual­ly requi­re a legal basis. This must now be cor­rec­ted. The draft ordi­nan­ce is a missed oppor­tu­ni­ty. At the same time, howe­ver, it is also an oppor­tu­ni­ty to do bet­ter in the second attempt.

Mat­thi­as Glatt­haar is Head of Data Pro­tec­tion and Data Pro­tec­tion Offi­cer at the Fede­ra­ti­on of Migros Coope­ra­ti­ves. He gives his per­so­nal opinion.




Rela­ted articles