Skip to content

30 years after the Federal Act on Data Protection (FADP; SR 235.1) came into force, the Federal Data Protection and Information Commissioner (FDPIC) published his 30th activity report in a press release on 26 June 2023. In just under two months’ time, the completely revised version of the FADP will come into force, which will provide the federal data protection supervisory authority in particular with new instruments to “meet the legitimate expectations of the population for robust protection of their privacy and informational self-determination in accordance with the rule of law in a modern manner” In his press release, the FDPIC also announces that he will intensify his supervisory activities once the revised FADP comes into force and even gradually increase the number of formal investigations. The challenges that the FDPIC currently sees, the extent to which these are particularly relevant for companies and the other challenges that the FDPIC has had to face in the course of his activities are outlined in the following article.

Keyword: Digital responsibility as corporate self-responsibility

In the context of the digital transformation as a phenomenon affecting society as a whole, every data processor or data controller is exposed to new risks, which is why the FDPIC believes that “digital responsibility is now part of good management”. Compliance with the Data Protection Act is part of this responsibility. The revised DPA obliges data controllers to take a “proactive approach”, with the law offering new instruments, in particular to create transparency, trust and credibility towards the data subjects. There does not have to be zero risk when processing personal data, but with the new instruments, data controllers can identify, minimise and take responsibility for residual risks and use this approach to guarantee the privacy and informational self-determination of all data subjects. Proactive thinking is also required in terms of technical security in order to counter cyber attacks with forward-looking measures.

The limits of digital self-responsibility

However, with the revised FADP, the legislator has also set a limit to the digital self-responsibility of data controllers: if it becomes apparent during the implementation of a project that the future processing of personal data is potentially associated with a high risk, the new FADP obliges the company or data controller to carry out a so-called data protection impact assessment (DPIA) in order to determine the emerging risk more precisely and take the necessary protective measures. If the risk of processing remains high even after the protective measures deemed appropriate have been implemented, the new DPA requires the FDPIC to be involved – the DPIA must be submitted to the FDPIC for review. But beware: the FDPIC expressly states that the FDPIC’s subsequent opinion is not to be regarded as “authorisation” of the planned project! If a data controller refuses to comply with important objections or suggestions made by the FDPIC, the FDPIC can take supervisory action, i.e. even open an investigation and, if necessary, order a ban on processing. It is precisely this supervisory activity that the FDPIC has announced he will intensify and increase the number of investigations.

According to the published activity report, the FDPIC faced a number of challenges in the area of data protection as part of his activities in 2022/2023. Those that are likely to be of particular interest to companies are summarised below:

Data processing within the framework of certified systems

Together with the revised Data Protection Act, the new Ordinance on Data Protection Certification (DPO; SR 235.13) is also due to come into force on 1 September 2023. The FDPIC advised the Federal Office of Justice (FOJ) on the legislative work on the new DPO and comments on the handling of data processing by certified systems in the activity report. Data protection certification means that data controllers are no longer required to carry out a DPIA, even if there is a high risk to the privacy of the data subjects, and it is possible to (simply) document compliance with data protection legislation. The certification of (management) systems goes beyond the possibilities of European data protection certification. These only cover products, services and processes. Foreign certifications that meet the requirements of Switzerland are recognised, as are certification bodies that cooperate with the Swiss Accreditation Service (SAS). The FDPIC considers data protection certification to be an important means of promoting data protection and transparency in Switzerland.

Federal Supreme Court rules against the right to information of third parties in international tax administrative assistance

In 2019, the Federal Administrative Court upheld a complaint by the FDPIC, which demanded that in international tax administrative assistance, persons not affected by the request for administrative assistance, i.e. third parties, should also be informed in advance if their name is to be transmitted unredacted to the requesting foreign authority. This duty to inform should give third parties the opportunity to defend themselves against the unlawful transfer of their data. The Federal Tax Administration (FTA) lodged an appeal against this judgement with the Federal Supreme Court. In December 2021, the Federal Supreme Court changed its practice in favour of the FTA and overturned the earlier ruling after it had issued a landmark ruling in another matter (BGE 146 I 172). Instead of fulfilling a general duty to inform, only those third parties for whom the right of appeal is obvious based on the files must be informed. The Federal Supreme Court denied a general prior information obligation, which the FDPIC demanded, and referred to the legal provision in the Tax Administrative Assistance Act that contradicts this approach. Thus, at least from the perspective of data protection law, the possibility to defend oneself against an impending data transfer appears to have been massively restricted.

Preliminary clarification due to cyber attacks

At the end of November 2022, the hosting provider Infopro AG was the victim of a cyberattack, as a result of which business customers temporarily lost access to the cloud application and the personal data stored in the cloud. As a result, the FDPIC opened a preliminary investigation. Contact was made with the company concerned in order to quickly clarify the facts and examine the enquiries received. In particular, it was necessary to verify statements that customers had gained access to other customers’ data due to a security vulnerability in the software. As part of the preliminary investigation, the company was confronted with a comprehensive duty to cooperate, including questionnaires. In addition, an exchange took place with the cantonal data protection authorities (privatim) and the National Cyber Security Centre (NCSC), which works together with the responsible law enforcement authorities. With reference to the responses received, the FDPIC found that the companies had taken appropriate measures to regain control of the data and inform the customers concerned. For the time being, the FDPIC saw no need for additional measures, as no security breach was confirmed. In this respect, it can be said that the company concerned was aware of its need to take proactive action and may have been able to avoid further investigations by the FDPIC by acting on its own responsibility.

Cybersecurity: Amendment of the Information Security Act (ISG)

In his activity report, the FDPIC then comments on the planned amendment to the Federal Act on Information Security (Information Security Act, ISG; SR 128). The Federal Department of Finance (FDF) was commissioned by the Federal Council to draw up a legal basis for the introduction of a reporting obligation for cyber attacks on critical infrastructures in view of the increasing number of cyber incidents involving both private individuals and companies. These reports are to be made to the National Cyber Security Centre (NCSC), in particular to provide it with a better overview of cyberattacks in Switzerland. In this context, the draft provides for reports to the NCSC to be exempt from the Federal Act on the Publicity Principle in the Administration (Publicity Act, PIA; SR 152.3). This amendment was rejected by the Federal Data Protection and Information Commissioner (FDPIC), as it would compromise the principle of publicity and hinder the NCSC’s role as a central reporting centre. The FDPIC requested the withdrawal of the special provisions that had been adopted. The FDPIC’s request was partially fulfilled by the FDF by reducing the scope of the exception. Although the FDPIC welcomed this restriction, it does not go far enough. From the point of view of companies, this development should be taken into account to the extent that they should tend to exercise restraint in their reports, as there is a risk that information from the company that is not intended for third parties could be obtained by means of an access request based on the Freedom of Information Act.

Sources