It is the most discussed innovation of the revised Data Protection Act in data protection circles: the new penalty provisions. There is a great deal of uncertainty, and many companies – and their employees involved in data protection – are wondering how the risk of criminal liability can be “managed” in corporate practice.

As a reminder, if data protection regulations are violated, under the new Data Protection Act, unlike the GDPR, it is not the companies that are punished, but the people acting on their behalf. With a fine of up to CHF 250,000, under certain circumstances combined with an entry in the criminal record (although this is only visible to the authorities). Only deliberate action is punishable, which includes not only the deliberate commission of the act, but also the acceptance of the act. In most cases, a criminal complaint by an affected person is required for the prosecution authorities to take action. The request can be made by a data subject, but not by the FDPIC.

Penalties are imposed in particular on the obligations to provide information and disclosure, to ensure appropriate data security, and to comply with the obligations when using contract processors and when transferring data abroad. Violations of other obligations, on the other hand, go unpunished. For example, there is no penalty for failing to report a data breach, failing to maintain a processing directory or failing to conduct a data protection impact assessment despite high risks. The selection of duties subject to punishment is quite random and at best reflects only in part the wrongfulness of the breach of duty.

Many strategies, but no silver bullet

So what precautions can be taken with regard to the new criminal regime? The best protection against criminal proceedings is, of course, compliance with data protection law. Anyone who complies with the law has nothing to fear. The only thing is that data protection law is now so complex and so strict that it is difficult to comply fully with all the regulations at all times. Considerations must therefore go beyond efforts to ensure compliance as best as possible.

In practice, the following strategies, among others, have emerged in dealing with the new penalty provisions:

Insurance: Many companies already have D&O insurance or insurance against cyber risks. The idea of extending the insurance coverage to the new fines under data protection law seems obvious. However, the prevailing view is that the fines under the new data protection law are of a highly personal nature as criminal sanctions and are therefore not insurable. According to the widespread opinion, an insurer would even be guilty of aiding and abetting and would thus itself be liable to prosecution. Only (but at least) the criminal defense and procedural costs are insurable, which are already included in the scope of coverage of many common D&O insurance policies.
Employer assumption of fines: In effect, it comes close to an insurance policy if the company promises its employees to pay any fines. Some companies are apparently considering this step, but most are reluctant. Companies expect their employees to comply with applicable laws. Incentives should be created for legally compliant behavior, not for violations of the law. Moreover, criminal liability under the new data protection law presupposes intent by definition, and what company would want to hold its employees harmless if they deliberately act unlawfully? (In practice, however, contingent intent, which is also punishable, is closer to negligence than to the classic “knowledge and intent” of the act). In addition, there is a widespread view that the assumption of the fine fails because of the highly personal nature of criminal sanctions.
Sharpening decision paths: There is a widespread desire to sharpen the organization and create clear decision-making structures. The goal is to clearly define for everyone involved where decisions are made and who only creates decision-making bases but does not make decisions themselves. This creates clarity about responsibilities. Most company data protection officers will want to make it clear that data protection officers or data protection advisors only have an advisory function, not a decisive one. These decision-making structures should also be reflected in the relevant job and function descriptions. In addition, DPO provisions and similar flanking regulations can further consolidate the defined responsibilities. – The opposite strategy, by the way, would be to deliberately create diffuse decision-making structures and make it as difficult as possible for law enforcement agencies to identify the person responsible. This would be done in the hope that the law enforcement authorities would make use of the option provided in the law to punish the business instead of the natural person. Even if this strategy could well lead to the desired result, it cannot be seriously advised to deliberately conceal responsibilities.
Documentation: One piece of advice often heard is to document as much as possible. Risk decisions in particular should be comprehensively documented and thus made comprehensible. This may not always prevent violations of data protection regulations, but it should at least make it difficult to conclude that the actions were intentional. On the other hand, documentation also has the potential to backfire: if it is documented that a data protection violation was deliberately accepted, then it is as good as proven that the action was intentional.
Designated Risk Taker: One of the more original approaches is to designate a “Designated Risk Taker” to whom the sanction risks are channeled as much as possible. The advantage of this approach is that the sanction risk becomes “manageable” through clear allocation. The risks can be assessed and compensated. The construct derived from the financial industry is an interesting thought experiment, but in practice the approach is hardly practicable. Criminal liability is based on actual circumstances and decision-making structures, not on designed allocations. Moreover, one must have a very risk-averse disposition to make oneself available as a “designated risk taker.”

A disservice to data protection

The above overview shows that there is no patent remedy for dealing with the new criminal provisions. The risk of criminal liability under the revised Data Protection Act is a reality and can neither be insured nor “organized away”. However, it is worthwhile to deal with the penal provisions and come up with a strategy. Sharpening the organization and decision-making structures and consistently documenting risk decisions are certainly good starting points. There is still some time left. It will still be about a year before the revision comes into force.

However, the first effects of the new penal provisions can already be observed today. Companies report that there has been a noticeable decline in the willingness to take on a data protection-related function in a company. One reason is the fear of exposing oneself to the risk of criminal sanctions. This is a warning sign: Functioning data protection organizations are built on decentralized data protection functions in the business units. If these cannot be staffed as desired, effective data protection becomes difficult. The new penal provisions do a disservice to the core concerns of data protection.

Matthias Glatthaar is Head of Data Protection and Data Protection Officer at the Federation of Migros Cooperatives. He gives his personal opinion.

On Dealing with the Penalty Provisions of the New Data Protection Act

Content

On Deal­ing with the Penal­ty Pro­vi­si­ons of the New Data Pro­tec­tion Act

Content

On Dealing with the Penalty Provisions of the New Data Protection Act