privatim, the association of Swiss data protection commissioners, today published a Summary of their opinion to Preliminary draft of the DPA published. The Consultation on the preliminary draft is still open until April 4, 2017.
The opinion of privatim naturally focuses on the regulations on data processing by public bodies. However, from the point of view of private processors, the following points are noteworthy:
Data protection impact assessment
- A data protection impact assessment (DPIA) would have to be Before each machining because the “increased risk” could only be determined by the DSFA. This is logically quite understandable, but requires a distinction:
- In a first step, a controller (and only the controller should have a duty to perform a DIA, not also the processor!) must ask itself whether there is likely to be an increased risk (the correct term would be: a “high” risk). This first step is already necessary to ensure data security, but can be done without any formalities and is not part of an actual DSFA.
- However, an actual DSFA, which will probably be the subject of the documentation requirement under Art. 19 lit. a CA, should only be required if an initial, form-free assessment has shown that there is a sufficient risk (which should be “high”, not just “increased”). To always require such a DSFA would not only be impractical, but would also go far beyond Art. 35 para. 1 DSGVO out.
- It is clarified that the Protection of fundamental rightsIn the view of the cantonal data protection commissioners, the protection objective set out in Art. 16 (1) VE-DSG only applies to public bodies (as is already the case under current law). Accordingly, private parties only have to protect the personality of data subjects.
- The Prior checking (i.e. consultation of the FDPIC) was insufficient. At least in the case of federal bodies, the DIA (including planned measures) must be submitted to the FDPIC. In any case, it would be welcome that the DIA only has to be reported to the FDPIC if it shows that a high risk is likely to remain despite the measures taken or planned. Otherwise, there is nothing for the FDPIC to examine. The GDPR also follows this approach (Art. 36 para. 1).
Privacy by Design / by Default
Here, the cantonal data protection commissioners raise the very legitimate question of whether the obligations implied in Art. 18(1) CA (Privacy by Design) are not already applicable under Art. 11 CA (Data security) exist. In the case of Art. 18(2) CA (Privacy by Default), privatim raises the analogous question with reference to the Proportionality principleIndeed, it is not evident that or in what way Art. 18 CA requires more than Art. 4 and 11 CA.
privatim also doubts the appropriateness of the compensation provided for a violation of Art. 18 VE. Threat of punishmentThis is probably in view of the constitutional requirement of certainty, which such a threat of sanctions could in fact hardly withstand, at least not without a strong restriction by the courts in the application of the law (that the necessary certainty of a norm can be brought about not only by the legislature but also by the courts may be surprising, but it is recognized).
Data portability and right to erasure
privatim recommends that Right to data portability (data portability) along the lines of the GDPR (Art. 20 GDPR; cf. the Working Paper of the Art. 29 Data Protection Working Party) into the Include lawbut without going into detail about the content and nature of this right. The latter is a pity insofar as this right in the European legislative procedure highly controversial was. The European Parliament had even deleted it from its draft version. One reason for the criticism is that the right to data portability is not based on data protection law, but rather on intellectual property law and, above all, antitrust law. Secondly, it is feared that the data structuring required for transfer would lead to new security risks and would even be counterproductive in this respect. There are also questions about the distinction between “provided data”, which has been transferred to the responsible party and is subject to portability, and “derived data”, which has been generated by the responsible party and is excluded from the claim to portability.
privatim further recommends, also following the example of the DSGVO (Art. 17) also a To establish the right to data erasure. However, such a right already results from Art. 23(2)(b) of the preliminary draft, according to which processing contrary to the declaration of intent of the data subject is unlawful. The fact that justification options remain does not change this; a right to erasure cannot be unconditional anyway, and is not according to Art. 17 GDPR.
Procedural issues
privatim also welcomes the proposed exemption from costs of data protection proceedings. What is also needed, however, is a Reversal of burden of proofbecause in many cases it is not even possible for the persons concerned to provide evidence of unauthorized editing. The latter may be true. However, one must ask whether a reversal of the burden of proof combined with the fact that the procedure is free of charge does not virtually invite abuse. If there are no indications of data privacy violations, there is no need for an incentive for proceedings. However, if there are indications, then the procedural duties to cooperate of the processor (Art. 160 ff. CCP) should actually suffice. A breach of the duty to cooperate may in practice come close to a reversal of the burden of proof (cf. Art. 164 and 167 CCP). At most, it would have to be examined whether an optional reversal of the burden of proof in individual cases along the lines of Art. 13a para. 1 UWG may be justified (although the initial situation there is different).
Sanctions
The statement of privatim on the planned sanctions is to be welcomed. It is wrong to “pass on full deficits to criminal law.”
With the new provisions, the criminal judge enters into competition with the data protection supervisory authority, which makes neither institutional nor factual sense. Many of the new criminal provisions lack specificity, so that they contradict the principle of “Nulla poena sine lege”. In addition, the criminal provisions described above do not fully implement the requirements of Directive (EU) 2016/680 and Art. 12bis para. 2 lit.c E‑SEV 108. The EU as well as the Council of Europe also explicitly require administrative sanctions that the Commissioner can impose.
Instead, the FDPIC should be able to impose administrative sanctions, even if this requires an expansion of the FDPIC’s resources. If necessary, the organization of the FDPIC should be adapted to that of the Comco.
Other provisions
The privatim statement addresses other points, including the following:
- Scope: The FADP should not apply to the parties during ongoing proceedings – this is already the case today and is certainly correct; otherwise, the right to information will become even more of a substitute for precautionary evidence under Art. 158 CCP.
- Special personal dataRace” should be deleted. “Biometric” data, on the other hand, is too broad – a photograph, for example, should not be included. privatim proposes an alternative definition.
- Profiling: The definition of “profiling” is not criticized (not even the inclusion of non-automated profiling with factual data) – on the contrary: “However, it is completely insufficient if profiling is then virtually “waved through” in the area-specific data protection law (in the federal laws to be adapted) with blanket authorizations. What is required is that clear and strict framework conditions for profiling be specified in the federal laws.”
- ConsentThe requirement of “unambiguousness” is welcomed. However, what “explicit” means should be clarified in the message.
- Good practice recommendationsThis institute, which tends to be welcomed in business circles if it is really the interested parties who draw up such recommendations, is viewed critically. Among other things, too little is expressed in Art. 9 CA, “that compliance with good practice recommendations is merely a statutory presumption of compliance with data protection rules.”
- Data securityData protection goals should be defined.
- Data of a deceased personThe provision of Art. 12 CA is welcomed in principle, but criticized in detail. Among other things, the exclusion of official and professional secrets is “extremely problematic”.
- Automated individual case decisionsFor the private sector, the proposed Art. 15 VE is welcomed.
- “Breach notification”: Here it is requested to define the data breach that triggers an obligation to notify. The following definition is proposed:
A data breach occurs when security is breached such that processed personal data is irretrievably destroyed or lost, inadvertently or unlawfully altered or disclosed, or unauthorized persons gain access to such personal data.”
This restriction to qualified breaches of data security is to be welcomed. An obligation to report other unauthorized processing such as late deletion would not only be impractical, but also constitutionally questionable (“nemo tenetur”). The GDPR also limits the notification obligation to security breaches (Art. 34 par. 1 i.V.m. Art. 4 No. 12 GDPR).
- Documentation requirement: Following the concern of shifting the burden of proof, privatim demands that the documentation obligation concerns compliance with data protection as a whole. However, this is probably impossible. Even a certified data privacy management system cannot ensure compliance with data privacy or corresponding documentation. Only definable and measurable parameters should be subject to documentation.