What key protections exist for personal data?
Technology (second edition)
Switzerland is a member state to certain international treaties regarding data protection, such as the European Convention on Human Rights and Fundamental Freedoms and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (Convention ETS 108) and its additional protocol of 8 November 2001.
The Data Protection Act (DPA) is currently undergoing revision and a draft for the revised DPA has been published in September 2017. However, the draft is still subject to parliamentary debate and therefore the final wording of the revised DPA remains uncertain. The Swiss parliament has decided to divide the ongoing revision into two parts as follows:
- The first part includes the revision of only those provisions of the DPA which are required due to the implementation of Directive 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data. This Directive must be implemented by Switzerland as it forms part of the Schengen acquis. The scope of the Directive is limited to the processing of personal data by competent authorities for aforementioned purposes. Accordingly, it only imposes additional obligations on authorities conducting such processing as a controller and natural or legal persons processing personal data as a processor on behalf of such an authority.
- The second part of the DPA revision will include the revision of those DPA provisions necessary to uphold the EU adequacy decision for Switzerland and, accordingly, will contain an equivalent of many of the provisions introduced in the EU through the GDPR. This second part will be taken up subsequently and the respective timing remains unknown (although it is currently not expected that the second part of the revision will enter into force before late 2019 or 2020).
‘Personal data’ or ‘personal information’ under the Cyber Security Law refers to various types of information that can be used separately or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, genetic information, address and telephone numbers. According to the Cyber Security Law, when network operators collect personal information, they shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, specify the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects.
The Guidelines for the Protection of Personal Information (GB/Z 28828-2012) divides personal information into personal general information and personal sensitive information. Personal sensitive information means the information which, once exposed or modified, will have an adverse impact on the information subject. For personal sensitive information, before collecting the information, expressed consent from the information subject is required.
Further, the Article 253 of the Criminal Law and its 9th amendment defines the criminality of selling or providing citizen's personal information, causing serious circumstances. To give more guidance of applying the criminal law, the Interpretations of the Supreme Court and the Supreme Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Invading Personal Information further specifies the criminality stipulated in Article 253.