With the increasing development of communication and distribution channels, as well as the increased capacity for companies to collect and process personal data, personal data protection is now under the spotlight.
In September 2017, the Federal Council presented a draft for a fully revised Data Protection Act (E-FADP), which aims to increase transparency and strengthen the participation rights of data subjects whose data is processed. The draft is largely based on the General Data Protection Regulation (GDPR), which has been in effect since 25th May 2018. Similarly, the ePrivacy Regulation, which has also been adopted by the EU (not yet in force) and is intended to regulate privacy on the Internet and in electronic communications as Lex Specialis, is also closely linked with the FADP.
This publication is intended to show what Swiss companies can expect from the FADP's revision, how far the legislation differs from the GDPR and what challenges could be faced during the implementation.
The implementation of the EU-GDPR regulation in May 2018, as well as the ePrivacy Regulation (expected 2020), represent a wave of European measures aimed at protecting the personal freedoms of data subjects.
The Federal Council decided in 2011 to revise the Data Protection Act, which came into force in 1992. Due to the publication of the GDPR in 2016, the Swiss National Council decided to carry out the revision of the Data Protection Act with the inclusion of the GDPR. This affects all Swiss companies that process personal data (such as customer or employee data). Any handling of personal data constitutes a processing, in particular the procurement, storage, safekeeping, usage, modification, disclosure, archiving, deletion, or destruction, of data. Due to the broad scope, there will probably be only a few companies in Switzerland that are not affected by the revision.
Affected companies’ experiences with the GDPR, as well as the draft revision of the FADP, show that the implementation of the new regulations represents a major challenge for companies. Therefore, there is an urgent need for action. A holistic understanding of the coming regulations is central to being as cost efficient and market-conforming as possible. Both technical and temporal dependencies between the revised Data Protection Act (E-FADP), ePrivacy Regulation and GDPR should be taken into account during the implementation.
The total revision of the Swiss FADP was then divided into two stages: the division should allow for the necessary prior consultation of the implementation of the EU law (Directive 2016/680 on the protection of individuals with regard to the processing of personal data in the criminal field), which is required by the Schengen agreements. Subsequently, the total revision of the Data Protection Act can be addressed “without time pressure“. For Swiss companies, the second stage, which is expected to be completed by the end of 2020, is particularly relevant.
The E-FADP reinforces many of the existing rights of data subjects, introduces various new requirements and, in a few cases, restricts existing articles. The new draft differs from the existing legislation (FADP) in the following key points:
While the EU Data Protection legislation has a limited effect on certain companies based in Switzerland, the new Data Protection Act is still relevant to all Swiss companies. Companies that are already in compliance with the requirements of the EU-GDPR should also deal with the new Swiss Data Protection Act, as there are substantive differences in the content of those acts.
Where does your company stand?
Depending on the specific market activities of Swiss companies, either the provisions of only the E-FADP apply, or both the E-FADP and the GDPR apply. The following graph gives you an overview of which data protection regulations are especially relevant for your company.
The ePrivacy Regulation that has already been in effect since December 5th 2017 protects the right to privacy and communication and is one of the cornerstones of the EU’s Digital Single Market Strategy. This new regulation has been positioned as “future-proof”: it refers to existing and future communication technologies. The ePrivacy Regulation will have a disruptive effect on companies' digital strategies, which will need to be redefined to meet the new standards.
The ePrivacy Regulation will replace the existing ePrivacy Directive, last revised in 2009. The new regulation has been amended to reflect current digital markets and therefore has includes a significant extension in scope and application. The main objective of the ePrivacy Regulation is to protect the electronic communications of natural and legal persons, and the information stored in their electronic devices. The cornerstones of the proposed rules on privacy and electronic communications are:
The objective of the ePrivacy Regulation is to supplement the requirements of the EU-GDPR. However, the two regulations may overlap. In case of conflict, the decisions according to ePrivacy Regulation take precedence (provided they do not reduce the level of protection afforded to natural persons enjoy within the framework of the EU-GDPR). Thus, the ePrivacy Regulation represents a Lex Specialis for the GDPR.
The ePrivacy Regulation represents a Lex Specialis for the GDPR and as such is relevant to Swiss companies. It is recommended that companies consider interfaces to the ePrivacy Regulation based on the existing design when analysing the E-FADP.
Swiss companies need to take immediate action on the GDPR/E-FADP and the ePrivacy Regulation in a timely manner, moving away from tactical temporary solutions and towards long-term strategic solutions. The automation of inquiries must be promoted in order to accomplish timely processing, case management and the deletion or archiving of personal data in an efficient, faster and cost-saving way.
Swiss companies need to take immediate action on the GDPR/E-FADP and the ePrivacy Regulation in a timely manner. A significant challenge is the management of corporate regulatory conflicts: e.g. E-FADP vs. GDPR vs. the ePrivacy Regulation. At the same time, managing the uncertainty surrounding the final version of the regulations and the cost / effort of any estimation are key aspects to achieving efficient compliance.
Regarding the ePrivacy Regulation policies, companies need to analyse their application to their company and, if necessary, adapt the company’s data privacy and electronic communications processes.
In the upcoming years, the topic of data protection will continue to occupy compliance and legal functions, as well as the IT functions. Efficient IT solutions are becoming increasing available and are of greater focus, especially in the area of data management, data archiving and data classification.
PwC can assist you in tackling and overcoming those challenges.
Regulatory & Transformation