Switzerland is a country located in the middle of Europe, but which is not governed by the GDPR, and has its own Data Protection Act. What do the two regulations have in common and what is the role of Switzerland with the European and global legal environment? The country has long been known for its neutrality. What role does Switzerland intend to play globally? A data haven? A place to foster harmonization among divergent national data protection laws? A country providing the highest information security due to their geographic environment?
In her Duet Interview with legal expert Prof. Dr Rolf H. Weber, Dr Caldarola, author of Big Data and Law, discusses data protection and information security in Switzerland and its targeted global position and market niche.
Before we start to examine the common features and differences between the GDPR and the Swiss regulations regarding data protection and information security, let us first explore the actual situation in Switzerland.
Prof. Dr Rolf Weber: The Swiss parliament adopted a new Data Protection Act (DPA) on 25 September 2020; since it appears to be unlikely that a referendum will take place, the DPA will become binding in early 2021 and the Federal Council envisages implementing the DPA as of January 2022, once a more detailed Ordinance has been worked out in 2021.
The Swiss DPA follows the principles of the GDPR to a large degree. However, the provisions are more general and provide few details and are by and large more lenient. The GDPR was a “model” for the Swiss DPA for two reasons:
- The GDPR is to be applied broadly (Art. 3 para. 2); as soon as a Swiss enterprise offers goods or services to an EU citizen (cross-border business), the GDPR applies. Therefore, many Swiss enterprises must already comply with the GDPR.
- Switzerland is interested in the European Commission re-instating the decision, which had formerly been in place for more than a decade, that Swiss data protection levels are adequate and reflect EU standards, with procedures of equivalency now pending.
A few significant differences exist, for example, in the context of sanctions; minor deviations concern automated decision-making, data breach notification and data protection impact assessment.
According to Swiss law, the Federal Data Protection and Information Commissioner (FDPIC) does not have specific direct powers to enforce the DPA. S/he may investigate cases on his/her own initiative or at the request of a third party and may issue recommendations that a specific data processing practice be changed or abandoned. If an FDPIC recommendation is not complied with, s/he may refer the matter to the Swiss Federal Administrative Court for a decision. Furthermore, the DPA provides for criminal liability and fines of up to CHF10,000 for non-compliance with obligations under the DPA.
The statement related to the specific direct powers of the FDPIC is correct under the existing DPA. But the new DPA will grant respective powers to the FDPIC.
As mentioned, however, even under the new DPA, the sanctions regime is different from the GDPR:
- Only individual persons can be sanctioned, not enterprises having the “disadvantage” of management possibly trying to deny a general organizational weakness but instead pointing to the individual in question who possibly may have committed a fault.
- The maximum fine is to be CHF 250 000, a figure which seems reasonable since it can be levied on an individual person, and not an enterprise, meaning turnover is not a relevant factor in calculating the amount.
Whether this divergence between DPA and GDPR will cause problems in equivalency procedures remains to be seen.
Do Swiss rules favour Switzerland becoming an attractive data market place?
The design of a sanctions regime for violating data protection laws hardly renders a data market place attractive.
What are the next steps?
On the one hand, the Federal Council will have to prepare the ordinance concerning the DPA; on the other hand, an equivalency process between the EU and Switzerland must be concluded pending a decision.
Switzerland brands itself as neutral place within Europe. Does the DPA reflect this image? If so, what are the business opportunities of Switzerland with regard to data within the EU and how does Switzerland promote those market niches to achieve this goal?
Switzerland is politically neutral, but, as far as the legal framework is concerned, the Swiss legislator is “forced” to harmonize the rules in order to enable a smooth participation of Swiss enterprises in the EU markets (and vice versa for EU enterprises). The discussions of the “Institutional Agreement” show that the European Commission insists on Switzerland accepting new EU rules, for example, in the context of digital markets.
Market niches do exist, for example, in the FinTech and crypto-assets markets. Already in 2017, the Swiss government introduced a sandbox innovation scheme allowing certain financial services to be offered without being required to obtain a license. Since January 2019, FinTech start-ups can apply for a so-called license light, involving much less administrative work than a traditional license. These niches are promoted by Swiss politicians and industry associations in order to label Switzerland as a blockchain nation.
Conversely, data protection laws do have a horizontal nature making it less easy to liberalize the regime, apart from cross-border implications, since all markets are concerned. In general, it can also be said that at least to a certain extent the level of consumer protection provisions is lower in Switzerland than in the EU making the distribution of goods and services more attractive (or cheaper).
In an earlier Duet interview with Thomas Kahl, we explored the topic of data havens. Since Switzerland has/had an image of being a tax haven, do you think that Switzerland is evaluating the idea of becoming a data haven? If so, how would it look like?
The Privacy Shield Agreement between the United States and Switzerland has not been invalidated by a court decision, but the Swiss Data Protection Officer published a statement that it is also no longer to be considered as binding after the respective decision of the European Court of Justice in July 2020. Data exports to the US now need to be justified on the basis of contractual clauses guaranteeing an adequate level of data protection.
Switzerland is not interested in becoming a data haven in the sense of establishing a low data protection level – and is incidentally no longer a tax haven in practice. Swiss enterprises, however, are implementing high data/information security standards and promote this quality abroad. Even if the data/information security provisions are comparable to those in EU countries, private initiatives tend to reach high levels for the given security environment. In addition, for example, highly secure data centres are available in old military establishments in the rocks of the mountains; the enterprises concerned are marketing the corresponding high physical security due to the centres having once been military installations.
Recently, the Schrems II lawsuit appeared before the European Court of Justice. Has this court decision had any effect on Switzerland? If not, does this offer Switzerland a new opportunity with regard to the transfer of data coming from the EU with a US destination and vice versa?
The Schrems II judgment does not have a direct legal influence on Switzerland, but rather a factual one, as already explained, i.e. the Privacy Shield is gone.
During the various duet interviews we came to the conclusion that data protection laws throughout the world are very diverse. In order to realize cross boarder projects, such as Big Data, industry 4.0, digital eco-systems and the like, a legal harmonization is inevitable. Will Switzerland promote an international organization similar to the WIPO which had the goal of harmonizing intellectual property laws throughout the world? Are there such initiatives? Or do specific differences between intellectual property and data protection exist that require a different approach?
Since digital business is global, harmonized data protection rules would make sense. This necessity can be seen when looking at the discussions amongst international trade actors conducted in the context of the General Agreement on Trade in Services of the WTO. Article XIV (1)© allows the introduction of regulations which are not inconsistent with the GATS relating to the protection of the privacy of individuals regarding the processing and dissemination of personal data and the protection of confidentiality of individual recordings. A certain harmonization of privacy standards would facilitate the interpretation of this provision.
Negotiations of an international treaty would be very difficult and cumbersome. The discussions concerning the amendments of the International Telecommunications Regulations (ITR) of the ITU (UN body domiciled in Geneva) during the WCIT 2012 in Dubai have shown that a global consensus cannot even be reached with regard to the term “security” in an internet infrastructure context. More liberal countries, including most European countries as well as the United States, Canada, and Australia have advocated an interpretation encompassing resilience and stability of the infrastructure, while more hierarchically structured countries, such as China, Iran, Saudi Arabia among others, wanted to include aspects of public policy into the security notion.
To date, Switzerland has not initiated or promoted an international organization dealing with data protection issues- notwithstanding the fact that Geneva hosts many international organizations. But Switzerland is a prominent supporter of efforts in the Internet Governance context; over the last few years, privacy has gained importance in discussions on internet-related principles. For example, the Geneva Internet Platform (GIP) hosts many diplomatic events. Furthermore, by providing human resources and financial support, Switzerland has substantially advanced the work of the UN Secretary-General’s High-Level Panel on Digital Cooperation- having presented its report in summer 2020 and leading to a roadmap for digital cooperation and principles of cyber governance. Not surprisingly, even a private actor, namely the US firm Microsoft, has centred its activities around the objective to attain harmonized standards in the cybersecurity field in accordance with the so-called “Digital Geneva Convention”.
As has already been mentioned, Geneva hosts many international UN organizations. But data protection issues having a horizontal nature cannot easily be replicated to sector-specific issues. Therefore, a comparison with the WIPO is difficult since intellectual property is more business-oriented and therefore politically less sensitive than data protection having a closer connection to national sovereignty. Information/data is crucial for government activities as well as for the exercise of human rights by civil society members; more hierarchically organized countries, particularly countries having only one monopolistic political party, are usually not willing to surrender absolute control of data flows – including transfers of personal data among individuals. The political will to come to a compromise that could impact state sovereignty is more likely than in matters which are more business-related, such as intellectual property rights.
My opinion is:
Data protection standards require better harmonization due to global networks; the privacy needs of individuals are as valuable as state sovereignty claims.
Prof. Dr Rolf Weber
Prof. Weber, thank you for sharing your insights on the role of Switzerland within the European and global legal environment, referring particularly to data protection and information security
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognized experts, delving even deeper into this fascinating topic.
