How does Switzer­land fit into the GDPR context?

Prof. Dr Rolf Weber – Pho­to: Beat Baschung

In her Duet Inter­view with legal expert Prof. Dr Rolf H. Weber, Dr Cal­daro­la, author of Big Data and Law, dis­cuss­es data pro­tec­tion and infor­ma­tion secu­ri­ty in Switzer­land and its tar­get­ed glob­al posi­tion and mar­ket niche.

Before we start to exam­ine the com­mon fea­tures and dif­fer­ences between the GDPR and the Swiss reg­u­la­tions regard­ing data pro­tec­tion and infor­ma­tion secu­ri­ty, let us first explore the actu­al sit­u­a­tion in Switzerland.

Prof. Dr Rolf Weber: The Swiss par­lia­ment adopt­ed a new Data Pro­tec­tion Act (DPA) on 25 Sep­tem­ber 2020; since it appears to be unlike­ly that a ref­er­en­dum will take place, the DPA will become bind­ing in ear­ly 2021 and the Fed­er­al Coun­cil envis­ages imple­ment­ing the DPA as of Jan­u­ary 2022, once a more detailed Ordi­nance has been worked out in 2021.

The Swiss DPA fol­lows the prin­ci­ples of the GDPR to a large degree. How­ev­er, the pro­vi­sions are more gen­er­al and pro­vide few details and are by and large more lenient. The GDPR was a “mod­el” for the Swiss DPA for two reasons:

  1. The GDPR is to be applied broad­ly (Art. 3 para. 2); as soon as a Swiss enter­prise offers goods or ser­vices to an EU cit­i­zen (cross-bor­der busi­ness), the GDPR applies. There­fore, many Swiss enter­pris­es must already com­ply with the GDPR.
  2. Switzer­land is inter­est­ed in the Euro­pean Com­mis­sion re-instat­ing the deci­sion, which had for­mer­ly been in place for more than a decade, that Swiss data pro­tec­tion lev­els are ade­quate and reflect EU stan­dards, with pro­ce­dures of equiv­a­len­cy now pending.

A few sig­nif­i­cant dif­fer­ences exist, for exam­ple, in the con­text of sanc­tions; minor devi­a­tions con­cern auto­mat­ed deci­sion-mak­ing, data breach noti­fi­ca­tion and data pro­tec­tion impact assessment.

Accord­ing to Swiss law, the Fed­er­al Data Pro­tec­tion and Infor­ma­tion Com­mis­sion­er (FDPIC) does not have spe­cif­ic direct pow­ers to enforce the DPA. S/he may inves­ti­gate cas­es on his/her own ini­tia­tive or at the request of a third par­ty and may issue rec­om­men­da­tions that a spe­cif­ic data pro­cess­ing prac­tice be changed or aban­doned. If an FDPIC rec­om­men­da­tion is not com­plied with, s/he may refer the mat­ter to the Swiss Fed­er­al Admin­is­tra­tive Court for a deci­sion. Fur­ther­more, the DPA pro­vides for crim­i­nal lia­bil­i­ty and fines of up to CHF10,000 for non-com­pli­ance with oblig­a­tions under the DPA.

The state­ment relat­ed to the spe­cif­ic direct pow­ers of the FDPIC is cor­rect under the exist­ing DPA. But the new DPA will grant respec­tive pow­ers to the FDPIC.

As men­tioned, how­ev­er, even under the new DPA, the sanc­tions regime is dif­fer­ent from the GDPR:

  1. Only indi­vid­ual per­sons can be sanc­tioned, not enter­pris­es hav­ing the “dis­ad­van­tage” of man­age­ment pos­si­bly try­ing to deny a gen­er­al orga­ni­za­tion­al weak­ness but instead point­ing to the indi­vid­ual in ques­tion who pos­si­bly may have com­mit­ted a fault.
  2. The max­i­mum fine is to be CHF 250 000, a fig­ure which seems rea­son­able since it can be levied on an indi­vid­ual per­son, and not an enter­prise, mean­ing turnover is not a rel­e­vant fac­tor in cal­cu­lat­ing the amount.

Whether this diver­gence between DPA and GDPR will cause prob­lems in equiv­a­len­cy pro­ce­dures remains to be seen.

Do Swiss rules favour Switzer­land becom­ing an attrac­tive data mar­ket place?

The design of a sanc­tions regime for vio­lat­ing data pro­tec­tion laws hard­ly ren­ders a data mar­ket place attractive.

What are the next steps?

On the one hand, the Fed­er­al Coun­cil will have to pre­pare the ordi­nance con­cern­ing the DPA; on the oth­er hand, an equiv­a­len­cy process between the EU and Switzer­land must be con­clud­ed pend­ing a decision.

Switzer­land brands itself as neu­tral place with­in Europe. Does the DPA reflect this image? If so, what are the busi­ness oppor­tu­ni­ties of Switzer­land with regard to data with­in the EU and how does Switzer­land pro­mote those mar­ket nich­es to achieve this goal?

Switzer­land is polit­i­cal­ly neu­tral, but, as far as the legal frame­work is con­cerned, the Swiss leg­is­la­tor is “forced” to har­mo­nize the rules in order to enable a smooth par­tic­i­pa­tion of Swiss enter­pris­es in the EU mar­kets (and vice ver­sa for EU enter­pris­es). The dis­cus­sions of the “Insti­tu­tion­al Agree­ment” show that the Euro­pean Com­mis­sion insists on Switzer­land accept­ing new EU rules, for exam­ple, in the con­text of dig­i­tal markets.

Mar­ket nich­es do exist, for exam­ple, in the Fin­Tech and cryp­to-assets mar­kets. Already in 2017, the Swiss gov­ern­ment intro­duced a sand­box inno­va­tion scheme allow­ing cer­tain finan­cial ser­vices to be offered with­out being required to obtain a license. Since Jan­u­ary 2019, Fin­Tech start-ups can apply for a so-called license light, involv­ing much less admin­is­tra­tive work than a tra­di­tion­al license. These nich­es are pro­mot­ed by Swiss politi­cians and indus­try asso­ci­a­tions in order to label Switzer­land as a blockchain nation.

Con­verse­ly, data pro­tec­tion laws do have a hor­i­zon­tal nature mak­ing it less easy to lib­er­al­ize the regime, apart from cross-bor­der impli­ca­tions, since all mar­kets are con­cerned. In gen­er­al, it can also be said that at least to a cer­tain extent the lev­el of con­sumer pro­tec­tion pro­vi­sions is low­er in Switzer­land than in the EU mak­ing the dis­tri­b­u­tion of goods and ser­vices more attrac­tive (or cheaper).

In an ear­li­er Duet inter­view with Thomas Kahl, we explored the top­ic of data havens. Since Switzer­land has/had an image of being a tax haven, do you think that Switzer­land is eval­u­at­ing the idea of becom­ing a data haven? If so, how would it look like?

The Pri­va­cy Shield Agree­ment between the Unit­ed States and Switzer­land has not been inval­i­dat­ed by a court deci­sion, but the Swiss Data Pro­tec­tion Offi­cer pub­lished a state­ment that it is also no longer to be con­sid­ered as bind­ing after the respec­tive deci­sion of the Euro­pean Court of Jus­tice in July 2020. Data exports to the US now need to be jus­ti­fied on the basis of con­trac­tu­al claus­es guar­an­tee­ing an ade­quate lev­el of data protection.

Switzer­land is not inter­est­ed in becom­ing a data haven in the sense of estab­lish­ing a low data pro­tec­tion lev­el – and is inci­den­tal­ly no longer a tax haven in prac­tice. Swiss enter­pris­es, how­ev­er, are imple­ment­ing high data/information secu­ri­ty stan­dards and pro­mote this qual­i­ty abroad. Even if the data/information secu­ri­ty pro­vi­sions are com­pa­ra­ble to those in EU coun­tries, pri­vate ini­tia­tives tend to reach high lev­els for the giv­en secu­ri­ty envi­ron­ment. In addi­tion, for exam­ple, high­ly secure data cen­tres are avail­able in old mil­i­tary estab­lish­ments in the rocks of the moun­tains; the enter­pris­es con­cerned are mar­ket­ing the cor­re­spond­ing high phys­i­cal secu­ri­ty due to the cen­tres hav­ing once been mil­i­tary installations.

Recent­ly, the Schrems II law­suit appeared before the Euro­pean Court of Jus­tice. Has this court deci­sion had any effect on Switzer­land? If not, does this offer Switzer­land a new oppor­tu­ni­ty with regard to the trans­fer of data com­ing from the EU with a US des­ti­na­tion and vice versa?

The Schrems II judg­ment does not have a direct legal influ­ence on Switzer­land, but rather a fac­tu­al one, as already explained, i.e. the Pri­va­cy Shield is gone.

Since dig­i­tal busi­ness is glob­al, har­mo­nized data pro­tec­tion rules would make sense. This neces­si­ty can be seen when look­ing at the dis­cus­sions amongst inter­na­tion­al trade actors con­duct­ed in the con­text of the Gen­er­al Agree­ment on Trade in Ser­vices of the WTO. Arti­cle XIV (1)© allows the intro­duc­tion of reg­u­la­tions which are not incon­sis­tent with the GATS relat­ing to the pro­tec­tion of the pri­va­cy of indi­vid­u­als regard­ing the pro­cess­ing and dis­sem­i­na­tion of per­son­al data and the pro­tec­tion of con­fi­den­tial­i­ty of indi­vid­ual record­ings. A cer­tain har­mo­niza­tion of pri­va­cy stan­dards would facil­i­tate the inter­pre­ta­tion of this provision.

Nego­ti­a­tions of an inter­na­tion­al treaty would be very dif­fi­cult and cum­ber­some. The dis­cus­sions con­cern­ing the amend­ments of the Inter­na­tion­al Telecom­mu­ni­ca­tions Reg­u­la­tions (ITR) of the ITU (UN body domi­ciled in Gene­va) dur­ing the WCIT 2012 in Dubai have shown that a glob­al con­sen­sus can­not even be reached with regard to the term “secu­ri­ty” in an inter­net infra­struc­ture con­text. More lib­er­al coun­tries, includ­ing most Euro­pean coun­tries as well as the Unit­ed States, Cana­da, and Aus­tralia have advo­cat­ed an inter­pre­ta­tion encom­pass­ing resilience and sta­bil­i­ty of the infra­struc­ture, while more hier­ar­chi­cal­ly struc­tured coun­tries, such as Chi­na, Iran, Sau­di Ara­bia among oth­ers, want­ed to include aspects of pub­lic pol­i­cy into the secu­ri­ty notion.

To date, Switzer­land has not ini­ti­at­ed or pro­mot­ed an inter­na­tion­al orga­ni­za­tion deal­ing with data pro­tec­tion issues- notwith­stand­ing the fact that Gene­va hosts many inter­na­tion­al orga­ni­za­tions. But Switzer­land is a promi­nent sup­port­er of efforts in the Inter­net Gov­er­nance con­text; over the last few years, pri­va­cy has gained impor­tance in dis­cus­sions on inter­net-relat­ed prin­ci­ples. For exam­ple, the Gene­va Inter­net Plat­form (GIP) hosts many diplo­mat­ic events. Fur­ther­more, by pro­vid­ing human resources and finan­cial sup­port, Switzer­land has sub­stan­tial­ly advanced the work of the UN Secretary-General’s High-Lev­el Pan­el on Dig­i­tal Coop­er­a­tion- hav­ing pre­sent­ed its report in sum­mer 2020 and lead­ing to a roadmap for dig­i­tal coop­er­a­tion and prin­ci­ples of cyber gov­er­nance. Not sur­pris­ing­ly, even a pri­vate actor, name­ly the US firm Microsoft, has cen­tred its activ­i­ties around the objec­tive to attain har­mo­nized stan­dards in the cyber­se­cu­ri­ty field in accor­dance with the so-called “Dig­i­tal Gene­va Convention”.

As has already been men­tioned, Gene­va hosts many inter­na­tion­al UN orga­ni­za­tions. But data pro­tec­tion issues hav­ing a hor­i­zon­tal nature can­not eas­i­ly be repli­cat­ed to sec­tor-spe­cif­ic issues. There­fore, a com­par­i­son with the WIPO is dif­fi­cult since intel­lec­tu­al prop­er­ty is more busi­ness-ori­ent­ed and there­fore polit­i­cal­ly less sen­si­tive than data pro­tec­tion hav­ing a clos­er con­nec­tion to nation­al sov­er­eign­ty. Information/data is cru­cial for gov­ern­ment activ­i­ties as well as for the exer­cise of human rights by civ­il soci­ety mem­bers; more hier­ar­chi­cal­ly orga­nized coun­tries, par­tic­u­lar­ly coun­tries hav­ing only one monop­o­lis­tic polit­i­cal par­ty, are usu­al­ly not will­ing to sur­ren­der absolute con­trol of data flows – includ­ing trans­fers of per­son­al data among indi­vid­u­als. The polit­i­cal will to come to a com­pro­mise that could impact state sov­er­eign­ty is more like­ly than in mat­ters which are more busi­ness-relat­ed, such as intel­lec­tu­al prop­er­ty rights.

My opin­ion is: 

Data pro­tec­tion stan­dards require bet­ter har­mo­niza­tion due to glob­al net­works; the pri­va­cy needs of indi­vid­u­als are as valu­able as state sov­er­eign­ty claims.

Prof. Dr Rolf Weber

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with rec­og­nized experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Prof. Dr Rolf Weber

Prof. Dr Rolf H. Weber is Professor of international business law at Zurich University acting there as co-director of the Research Program on Financial Market Regulation, the Center for Information Technology, Society, and Law and the Blockchain Center. He was Visiting Professor at Hong Kong University and is a practicing attorney-at-law in Zurich. His main fields of research and practice are IT and Internet, international trade and finance as well as competition law.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.