Revision of the Swiss Federal Act on Data Protection

Federal Council has started the consultation process

On December 21, 2016, the Federal Council published the preliminary draft for a complete revision of the Federal Act on Data Protection (FADP). Interested parties may submit a formal position until April 4, 2017. The key points of the revision are summarised below:

Broader information duties (active information)
Stronger right to information (more information)
Documentation duties
Control of data subject over their personal data (right to rectification and erasure)
Privacy by Design and Privacy by Default
Inspection and authorisation duties (e.g. data protection impact assessment when data processing entails a high risk, corporate data protection measures for the transfer of data to third countries)
Data Breach Notifications
Best Practice recommendations
Increased competences of the Federal Data Protection and Information Commissioner FDPIC (precautionary measures, administrative actions, administrative assistance)
Fines in the amount of up to CHF 500'000 for privacy violations

VISCHER will analyse the proposed revision and support companies and interested parties in the evaluation of the potential impact as well as the draft of statements during the consultation process. The preliminary draft foresees that many important details will only be decided in the respective ordinance.

The draft provides stricter rules compared to the current FADP, however, it is not as strict as the regulations in the EU. We are confident that Switzerland needs a pragmatic and stringent data protection act that accounts for economic interests as well as the interests of all parties concerned. To remain competitive, Switzerland must ensure that its data protection level is recognised as equivalent to the EU standards. However, it is not necessary to completely adopt the EU's General Data Protection Regulation. Swiss law should remain reasonable – especially with regard to companies that focus their operations on the Swiss market. The so-called risk-based approach would adequately address this. Instead of creating general and broad data protection and data security rules, regulators should focus on implementing specific rules in areas where considerable risks to privacy exist, e.g. when processing personal data of children and young adults or health data.

The members of our Competence Team in Data Law are at your disposal for any questions concerning the revision of the FADP as well as possible actions you may consider to take.