1. What does “secondary use” of data mean?
Secondary use of data refers to the use of data that has already been collected for a purpose other than that for which it was originally collected. While primary use refers to the immediate purpose of data collection, secondary use describes the subsequent use of this data in a new context. It is therefore not a new collection of data, but merely a reuse of existing information that is removed from its original context of use and, in some cases, combined with other data sets.
Secondary use differs from primary use in that it transcends the original purpose and opens up data for additional tasks. This includes, for example, the use of routine medical data for research purposes, the evaluation of mobility data for traffic control, or the use of energy data to optimize supply networks. The aim is to generate added value for the economy, science, or society.
From a legal perspective, secondary use is thus an expression of a paradigm shift in the handling of data.
While Switzerland’s data protection law focuses on the purpose limitation and minimization of personal data processing, innovation policy follows the idea of multiple use and networking.
This results in a tension between efficiency and privacy protection: on the one hand, the value of existing data for research, administration, and the economy should be exploited, but on the other hand, the protection of personal information must not be compromised.
The planned framework law will therefore not be limited to technical issues of data storage or transfer, but must also define the material and institutional requirements for a lawful change of purpose. The aim is to define the limits within which data may be used for new purposes without violating the data protection principles under Art. 6 of the Federal Act on Data Protection (FADP). The aim is to create a legal system that guarantees both the use and protection of data, thereby laying the foundation for a trustworthy, innovation-friendly data infrastructure in Switzerland.
2. The motion and its rationale: trust as a foundation
The motion emphasizes that data is a strategic resource for economic success, government action, and social innovation. In the future, it should be understood as a common good with added value potential, not as the exclusive property of individual institutions.
At the same time, the motion emphasizes that Switzerland needs trustworthy framework conditions in order to share data from private and public sources in a legally secure manner. The key to this is the establishment of cross-sector data spaces in which interoperability, governance, and data protection are linked.
3. Secondary use and data protection law: a tense relationship
The central legal conflict arises from the basic principle of purpose limitation in data protection law.
According to Art. 6 para. 3 DSG (SR 235.1), personal data may only be processed for the purpose specified at the time of collection, apparent from the circumstances, or provided for by law. This principle is intended to ensure that data is not used arbitrarily for other purposes. In addition, personal data must be processed lawfully, in good faith, and in a proportionate manner. Art. 6 para. 4 DSG also requires that personal data be destroyed or anonymized as soon as it is no longer necessary for the original purpose.
The planned secondary use aims to use data for new purposes not originally intended. This creates a legal tension:
· On the one hand, digital transformation requires the expanded use of data to promote innovation and efficiency.
· On the other hand, data protection law requires purpose limitation and data minimization.
A framework law would therefore have to clarify the conditions under which a new legal basis for secondary use can be created. Possible options include:
· Anonymization requirements to remove personal references (although anonymization itself also constitutes processing of personal data under the Data Protection Act),
· or governance models with public and private bodies that oversee the change of purpose. The secondary purpose must be largely compatible with the primary purpose, or the change of purpose must be based on a legal basis.
This makes the question of when data processing remains “personal” and when it transitions to non-personal secondary use the core problem of regulation.
4. Comparative law: Orientation towards the EU data strategy
Switzerland is not alone in this development. At the European level, comprehensive legal foundations have been created in recent years to regulate the handling of data and its cross-sectoral use. With the Data Governance Act (DGA) and the Data Act, the European Union has established a framework for data sharing, the reuse of public data, and access to privately generated data. These two pieces of legislation aim to promote the free but trustworthy flow of data within the internal market.
The Data Governance Act specifies, in particular, the conditions under which public authorities may make data they hold available to third parties for reuse. It also regulates the activities of so-called data intermediaries, which are intended to facilitate data exchange between different actors in a neutral and transparent manner. At the same time, it strengthens voluntary data exchange by defining requirements for the trustworthiness, transparency, and independence of these intermediaries.
The Data Act supplements this framework by defining rights and obligations regarding access to and use of data. In particular, it specifies the relationships between private actors, such as between manufacturers of connected devices and the users of these devices, and establishes binding rules for data use in the relationship between companies, consumers, and public authorities. The aim is to facilitate access to data, prevent distortions of competition, and preserve the data sovereignty of the individuals concerned.
The future Swiss framework law on the secondary use of data will have to be aligned with these European developments. Compatibility with the provisions of the Data Governance Act and the Data Act is necessary not only from an economic perspective, but also from a legal standpoint. Cross-border data flows have long been a reality, and isolated national regulations would significantly impede interoperability between Swiss and European data spaces. The challenge is therefore to create an independent but compatible set of rules that respects the Swiss legal system while ensuring international connectivity. Isolation would be neither economically nor constitutionally viable, as it would inhibit innovation and hinder access to the European data market.
5. Legislative objective: A framework law with sectoral characteristics
According to the motion, the new framework law should contain overarching principles and definitions for the establishment and operation of data usage infrastructures. It should be understood as a “start-up law” that provides impetus for the development of data rooms anchored in special legislation.
Specifically, the following are planned:
· Rules on the governance and management of data spaces (public or mixed-economy entities)
· Requirements for the financing and accessibility of data from private and public sources
· Linkage and interoperability requirements
· Funding instruments, e.g., sandbox regulations for pilot projects
The law could thus become a basic framework for data law.
6. Political process and outlook
Following the adoption of the motion, the Federal Council is now tasked with drafting a bill. This is likely to first be submitted for consultation as a draft bill before being forwarded to parliament. At the same time, the organization Digital Administration Switzerland is working on the strategic implementation of data rooms in the public sector.
The political discussion will show whether the law will be designed as a framework regulation with sector-specific openings or whether it will lead to greater harmonization of data law in Switzerland. The decisive factor will be whether a balance between innovation and data protection can be achieved.
Sources
· Motion 22.3890: Framework law for the secondary use of data
· Data Protection Act, SR 235.1
· Regulation 2022/868, Data Governance Act
· Regulation 2023/2854, Data Act
Note: revised with AI