Changing legislation in Switzerland: The new Swiss Federal Data Protection Act and updates on cybersecurity

1) 2023: An important year for data protection and cybersecurity in Switzerland

Swiss data protection law is primarily set out in the Federal Data Protection Act (FDPA) and the Data Protection Ordinance (FDPO). As Switzerland is a member neither of the EU nor the EEA, the EU General Data Protection Regulation (GDPR) does not apply to Swiss companies except under GDPR Art. 3 and potentially Swiss conflict of law rules. On the other hand, the revFDPA can apply to companies located outside of Switzerland.

The revised FDPA (revFDPA) and Data Protection Ordinance will enter into force on 1 September 2023. In addition, the Federal Act on Information Security is expected to enter into force by mid-to-late 2023.

2) Data protection:EU adequacy with a Swiss finish

The revFDPA replaces the previous FDPA, which has been in force since 1993. The revision’s key purpose was to ensure that Switzerland keeps the EU Commission’s adequacy finding. Removing Switzerland’s adequacy finding would make transfers of personal data from the EEA to Switzerland much harder. The renewal is still pending, but it is expected that adequacy will be confirmed soon.

2) i) Similarities between the EU GDPR and the revFDPA

In order to keep with the GDPR’s general approach, the revFDPA has many obligations and requirements that are similar; for example, obligations to:

  • keep records of processing activities (but an exemption applies for SMEs, except for high-risk processing);
  • provide notice whenever personal data is collected;
  • conduct data protection impact assessments where the processing is likely to result in a high risk;
  • have the proper agreements in place with processors and other recipients, especially for international data transfers;
  • comply with the principles of privacy by design and default;
  • report certain security breaches; and
  • safeguard subject rights, including the right of data portability.
2) ii) Main differences between the EU GDPR and the revFDPA

While the revFDPA is generally similar to the GDPR, there are notable differences. A key point is that the revFDPA does not require legal grounds for processing to be permitted. Under the revFDPA, processing is lawful so long as it is in keeping with general processing principles (which are similar to those under GDPR Art. 5). In practice, this means that consent is required less often than under the GDPR. Another point to highlight is that the revFDPA has no general principle of accountability and is therefore less prone to the wide interpretation we see from the European Court of Justice, and that there is no obligation to appoint a DPO in Switzerland.

Overall, the revFDPA is more accepting of reality and less detailed than the GDPR. Organisations that are compliant with the GDPR can therefore update their documentation to meet the revFDPA’s requirements with limited effort. One localisation requirement is that certain amendments are required when the EU Commission’s SCCs are used for transfers to third countries under the revFDPA. Another is privacy policies, processing notices and data processing agreements which may need to be adapted slightly to account for the revFDPA. For example, the revFDPA requires controllers to include all (also white-listed) countries in their privacy notices.

In relation to these differences, companies abroad should take note that the revFDPA can apply to them where their processing has a tangible impact in Switzerland. In addition, these companies may be required to appoint a Swiss representative when certain conditions are met.

2) iii) Sanctions

The revFDPA retains the principle of personal liability that already exists under the current FDPA, but it tightens sanctions for breaches of data protection requirements. Individuals (and potentially directors and officers) who intentionally breach certain requirements may be personally liable to fines of up to CHF 250,000, and fines above CHF 5,000 are kept in criminal records. Only where the identification of the responsible individuals would require disproportionate efforts,fines of up to CHF 50,000 may be imposed on companies instead.

Fines are possible for certain breaches only, including the failure to provide accurate minimum information to data subjects (in privacy notices or on an access request), data transfers abroad that do not meet the requirements, using processors without the necessary contractual arrangements, or any non-compliance with the minimum security requirements.

Overall, Swiss authorities are more lenient than some EU data protection authorities. However, with increased powers many expect that authorities will become slightly more active.

3) Cybersecurity

There is no overarching cybersecurity legislation in Switzerland. Cybersecurity is addressed by a patchwork of various acts and guidance specific to regulated industries. For example, supervised institutions must report cyberattacks to the Swiss Financial Market Supervisory Authority, FINMA. However, cyberattacks and other incidents can be reported to the National Cyber Security Centre (NCSC) on a voluntary basis. The NCSC was established in 2020 as a national cybersecurity competence centre to analyse cyber risks, provide information on cyber risks to the public and support victims of cyberattacks.

This will change to an extent with the new Information Security Act (ISA), which is expected to come into force in 2023. The ISA is primarily targeted at federal authorities, cantonal authorities and companies that perform public tasks. However, obligations on providers of critical infrastructure to report certain incidents to the NCSC are currently in the law-making process and will likely be added to the ISA. These obligations may apply to a wide range of organisations such as financial institutions, energy and health companies, certain cloud service providers and manufacturers of certain hardware and software.