DATA PROTECTION IN SWITZERLAND PART 4

data protection

12 Jun 2017 DATA PROTECTION IN SWITZERLAND PART 4

DATA PROTECTION IN SWITZERLAND

PART 4: A COMPARATIVE APPROACH BETWEEN SWITZERLAND, THE EUROPEAN UNION AND THE UNITED STATES

The nature of data protection measures inherently requires that when data is being moved from one state to another, each jurisdiction must have equivalent protections and sanctions. Switzerland and the European Union have similar protections in place to protect and define the limits of data protection. While it can be argued that data protection in the European Union and Switzerland are fundamental rights, an equivalent protection does not currently exist in the United States.

This publication will thus compare the Swiss legal framework for protecting data with the systems in the European Union and the United States.

This newsletter is the last of four publications relating to data protection in Switzerland. The first publication looked at the various laws and ordinances covering the protection of data in Switzerland (status as at mid-2015), the second publication looked at banking secrecy, a significant area in which the protection of data is enshrined and the third newsletter, published in early 2017, highlighted particular challenges in today’s society with respect to the protection of one’s data and the way in which the Swiss legal system addresses such concerns. The three earlier newsletters are available on our firm’s website under Publications.


Introduction

While the European Union (the “EU”) and Swiss laws and regulations regarding data protection show distinctive similarities, the United States (the “US” system is very different by virtue of such protection existing in a number of different laws, both at state and federal levels.

This newsletter presents a few key aspects of data protection in the three jurisdictions. Such a comparison allows the reader to appreciate the similarities and differences between the three frameworks, as well as providing an overview of how data is exchanged between member states of the EU, Switzerland and the US.

 

Legal Bases

Switzerland

The principle legislation governing data protection in Switzerland is the Swiss Federal Act on Data Protection of 19 June 1992 (“Swiss Data Protection Act”) and the accompanying Ordinance to the Federal Act on Data Protection of 14 June 1993.

Additionally, Articles 13(1) and (2) of the Federal Constitution of the Swiss Confederation of 19 April 1994 states that all persons have the right to privacy in their private life, family life, and in respect of their mail and telecommunications as well as giving persons the right to be protected against the misuse of their personal data.

There are also a number of obligations placed on professionals to ensure professional secrecy vis-à-vis their clients, as set out in detail in the first and second publications.[1]

In respect of the Data Protection Act, in December 2016 a draft bill was published to reform the provisions in that Act. Where appropriate, the proposed amendments will be mentioned throughout this newsletter.

 

The European Union

At the level of the EU, Directive 95/24/EC on data protection[2] (then implemented at the level of each member state) applies to data processed by automated means and data contained in, or intended to be part of, non-automated filing systems. As from 25 May 2018, this Directive will be replaced by Regulation (EU) 69/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, or the “General Data Protection Regulation” (the “GDPR”). It was necessary to update the framework for data protection in order to respond to changes in the environment as a result of increased globalisation and ongoing technological advances, which both directly influence behaviours with respect to data.[3]

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“ETS 108”) is a Council of Europe Convention which both member states (including all member states of the European Union and Switzerland) and non-member states have signed and ratified. The ETS 108 sets out fundamental principles relating to the protection of data, upon which many other states have based their data protection laws.[4] Indeed, the 95 EU Directive is based upon the principles set out in ETS 108. ETS 108 is also in the process of being modified. The revisions to the Swiss Data Protection Act are also based upon the amendments to ETS 108 so that it can ratify the amended Convention.

 

The United States

Finally, within the US, no single federal law exists to regulate personal data collection and protection. One must look to a patchwork of laws regulating different aspects of data collection[5], the most significant of which are the following:

·                Federal Trade Commission Act (15 U.S.C. §§41-58) (“US FTC Act”), which prohibits unfair or deceptive practices;

·                Privacy Act (5 U.S.C. § 552a), which regulates the collection, use and disclosure of personal information about an individual by federal agencies;

·                Financial Services Modernization Act (15 U.S.C. §§6801-6827) (“US Financial Services Act”) applies to all businesses providing financial services and products, regulating the collection, use and disclosure of financial information;

·                Fair Credit Reporting Act (15 U.S.C. §1681), applies to consumer reporting agencies and agencies providing credit information about consumers;

·                Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 U.S.C. §§7701-7713 and 18 U.S.C. °1037) and the Telephone Consumer Protection Act (47 U.S.C. °227 et seq.) regulate the collection and use of email addresses and telephone numbers;

·                Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) regulates electronic communication interceptions and computer tampering;

·                Health Insurance Portability and Accountability Act (42 U.S.C. §1301 et seq.), regulates medical data; and

·                Judicial Redress Act (5 U.S.C. § 552a), which was enacted in 2016, extends certain rights of judicial redress already established under the Privacy Act to citizens of certain countries.[6] This Act allows EU member states to seek redress in US courts for violations of their privacy in the collection of personal information when it is disclosed to law enforcement agencies.[7]

The plethora of state legislation regulating different areas of data collection and transmission results in entities regularly needing to navigate both state and federal laws to ensure that their activities are in line with the frameworks for data protection.

Further, unlike the Swiss Data Protection Act and the 95 Directive (and the GDPR), which all apply to data held or processed by both private and public bodies, the above laws as well as the state legislation providing equivalent measures in the US, separate data protection measures from public and private bodies.[8]

 

Scope of data regulated

The Swiss Federal Data Act regulates “personal data”, being all information relating to an identified or identifiable natural or legal persons.[9] Additional measures exist to protect “sensitive personal data”, this being data related to:

·                religious, ideological, political or trade union-related views or activities;

·                health, the intimate sphere or racial origin;

·                social security measures; and

·                administrative or criminal proceedings and sanctions.[10]

The revised draft of the Swiss Data Protection Act reduces the scope of data protected to data relating to individuals only and no longer includes the data of corporations. The definition of sensitive personal data has been extended in the revised draft to include genetic and biometric data.

The current 95 EU Directive similarly defines “personal data” at Article 2 to be “any information relating to an identified or identifiable natural person, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

Unlike the Swiss Data Protection Act, there is not a separate definition for sensitive personal data. Nonetheless, data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life is treated in a much more cautious manner.[11]

The GDPR shall also include reference to biometric and genetic data in its definition.[12]

The type of data protected in the United States logically depends on the applicable law. As an overview:

·                The US FTC Act does not protect a particular category of data, but rather prohibits practices that fail to protect consumers’ personal information.[13]

·                Although not an enforceable piece of legislation, the US Federal Trade Commission’s “Behavioural Advertising Principles” applies in respect of tracking consumers’ online activities.

·                The US Financial Services Act protects non-public personal information (i.e. information that is not publicly available and which is capable of personally identifying a consumer or customer) collected by a financial institution, that is provided by or otherwise obtained in connection with consumers who obtain financial products or services for primarily personal, family or household purposes from a financial institution.[14]

·                Personal information, such as one’s name, social security number, medical information or email addresses and phone numbers, are often protected in state legislation.[15]

 

Transfer Restrictions Generally

The Swiss Data Protection Act implements a restrictive approach in respect of a person transferring personal data of a data subject to another. Article 10a of the Act indicates that personal data can only be assigned to third parties by agreement or law if:

·                the data is processed only in the way permitted by the instructing party itself;

·                it is not prohibited by a statutory duty of confidentiality; and

·                the instructing party ensures (i.e. through an agreement concluded between the two parties) that the third party can guarantee data security.

‘Third party’ is defined in the 95 EU Directive at Article 2 to include any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the data controller or processor, are authorised to process the data.

Pursuant to Article 8(2)(d) of the 95 EUR Directive, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life that is being processed shall only be disclosed to a third party in the course of the processor undertaking legitimate activities and with the prior consent of the data subject.

Additionally, Article 11(1) provides that where data has not been obtained from the subject, the controller or their representative must, if disclosure to a third party is envisaged, provide the data subject with the identity of the controller, the purposes of processing and any further information. Data subjects are also entitled to be informed before personal data is disclosed to third parties for the first time, allowing them to object to the use of such data for direct marketing.[16]

By comparison, the US FTC Act requires companies to comply with their own privacy policies (should one be in place) and they must safeguard data collected by them.[17] The Federal Trade Commission has issued rules limiting the transfer of financial information and credit report information with others, however such rules are not yet found in the US FTC Act.[18]

The US Financial Services Act seeks to limit a financial institution from disclosing a consumer’s non-public information to non-affiliated third parties and must notify their customers about information-sharing practices.[19] This provision requires financial institutions to generally adopt an “opt out” mechanism so that the consumer can opt out of having such information disclosed to a third party.

 

Transfer of Data Overseas

The Swiss Data Protection Act prohibits personal data from being disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.[20]

Whether a state has legislation that guarantees adequate protection depends on the determination of the Federal Commissioner on Data Protection (indeed, the Commissioner keeps a publicly available,[21] running list of states that provide such protection and those who do not). Notably, the EU member states are deemed by the Commissioner to have in place such legislation. In fact, any country which has ratified ETS 108 or implemented the 95 EU Directive are determined to have in place an adequate level of data protection.[22]

In the event that a state does not provide adequate protection, Article 6(2) of the Swiss Data Protection Act provides certain circumstances in which data can be transferred abroad, including in the event where sufficient safeguards, such as contractual clauses ensure an adequate level of protection abroad or where the data subject has consented in the specific case.

In April 2017, the Swiss-US Privacy Shield was implemented, allowing US companies that are registered with the US Department of Commerce for having joined the shield to boast the status of offering an adequate level of protection in relation to personal data from Switzerland.[23]

Article 25 of the 95 EU Directive states similarly that the third states must “ensure an adequate level of protection”. Article 25(2) provides more detail as to how such protection is to be assessed than is contained in the Swiss Data Protection Act (elements which must be taken into consideration include the nature of the data, the purpose and duration of the processing operations, the country of origin and destination, the rules of law in place in the third country and the professional rules and security measures in place in the third country).

Article 26 of the 95 EU Directive provides circumstances in which, should each member state enable such act in local law, data can be transferred to a third country “which does not ensure an adequate level of protection within the meaning of Article 25(2)”. Although there are similarities with the exceptions as set out in Article 6(2) of the Swiss Data Protection Act (for example, if the data subject has given consent to the transfer, if the transfer is legally required on public interest grounds, or to protect the vital interests of the data subject), the exceptions contained in Article 26 go further to define how contractually a transfer might be necessary and therefore justifiable in more situations than the exceptions contained in the Swiss Data Protection Act.

In terms of data transfer between the European Union and the United States, the European Union Court of Justice in late October 2015 held that the previous Safe Harbour arrangements between the EU and the US were invalid.[24] This resulted in the European Commission and the US Department of Commerce establishing the Privacy Shield framework (upon which the Swiss-US Privacy Shield framework, mentioned above, was prepared). The Privacy Shield has resulted in a more robust process for the transfer of data between entities in EU member states and the US.

Comparatively, there exist very few measures relating to the transfer of data from the US overseas. While regulated entities and governmental bodies are subject to certain restrictions on the transfer of data outside of the US,[25] there is no “blanket” regulation outlining how and when transfer out of the jurisdiction is permitted. Restrictions would thus need to be put in place in agreements between data controllers and the subjects and/or recipients.

 

Regulatory Bodies

As part of their role, the Swiss Data Protection and Information Commissioner supervises federal and private bodies, advises private bodies, informs the public about their findings and recommendations and also cooperates with data protection authorities in Switzerland and abroad. The Swiss Commissioner also maintains and publishes the register for data files pursuant to the Swiss Data Protection Act.[26] The Commissioner can investigate facts on their own accord or at the request of another and can then issue recommendations.

In respect of the European Union, most member states have in place a national data protection authority or regulator. Such authorities are given the power to investigate and prosecute violations of the data protection laws and on a more general level, to raise awareness about rights and obligations relating to data protection.[27]

The Federal Trade Commission in the United States enforces the vast majority of national laws relating to privacy. The powers and duties of the Commissioner includes initiating investigations, issuing cease and desist orders and filing complaints in court. In its peremptory role, it regularly reports on privacy issues and provides recommendations in respect of privacy legislation.[28]

Our Experience

lecocqassociate provides a full range of financial regulatory, corporate and commercial advice in relation to the structuring and incorporation of entities.

This newsletter is for information purposes only. It does not constitute professional advice or an opinion. Please contact Mr. Dominique Lecocq on moc.e1513256285taico1513256285ssaqc1513256285ocel@1513256285lrd1513256285 for any questions.


[2] Full name being Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to processing of personal data and on the free movement of such data (“95 EU Directive”).

[3] Jean-Philippe Walter, “La révision de la Convention du Conseil de l’Europe pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel (Convention 108) et les répercussions pour la Suisse » at page 78, in Astrid Epiney and Daniela Nüesch, « La révision de la protection des données en Europe et la Suisse ».

[4] Jean-Philippe Walter, “La révision de la Convention du Conseil de l’Europe pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel (Convention 108) et les répercussions pour la Suisse » at page 79, in Astrid Epiney and Daniela Nüesch, « La révision de la protection des données en Europe et la Suisse ».

[5] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[6] The United States Department of Justice, “Judicial Redress Act of 2015”, < https://www.justice.gov/opcl/judicial-redress-act-2015>, accessed on 29 May 2017.

[7] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[8] European Parliament Directorate-General for Internal Policies, « A Comparison between US and EU Data Protection Legislation for Law Enforcement », 2015.

[9] Article 3(a) and (b).

[10] Article 3(c) of the Swiss Data Protection Act.

[11] Article 8 of Directive 95/24/EC.

[12] Reinhard Oertli, “Draft revision of the Swiss Federal Data Protection Act compared with the legal situation in the EU”, <http://www.lexology.com/library/detail.

aspx?g=66873124-2a41-42c8-b60f-d3592e8dacd6>, accessed on 29 May 2017.

[13] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[14] Title V, Subtitle A – Disclosure of Nonpublic Personal Information, US Financial Services Act.

[15] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[16] Article 14(b) of the 95 EU Directive.

[17] Section 5.

[18] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[19] Section 502 of the US Financial Services Act.

[20] Article 6(1) of the Swiss Data Protection Act.

[21] Swiss Federal Data Protection and Information Commissioner, “Transborder Data Flows”, <https://www.edoeb.admin.ch/datenschutz/00626/00753/index.html?lang=en>.

[22] Clara-Ann Gordon and Phillip Schmidt and Global Legal Group, The International Comparative Legal Guide to Data Protection 2016 in “Chapter 26: Switzerland”, <http://www.nkf.ch/wAssets-nkf2/docs/publikationen/clara_ann_gordon/DP16_Chapter-26_Switzerland.pdf>, accessed on 30 March 2017.

[23] Federal Data Protection and Information Commissioner, “Transborder data transfers briefly explained”, <https://www.edoeb.admin.ch/datenschutz/00626/00753/index.html?lang=en>.

[24] In the case 362/14 Maximillian Schrems v Data Protection Commissioner.

[25] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.

[26] Federal Administration, “Federal Data Protection and Information Commissioner, <https://www.edoeb.

admin.ch/org/00126/index.html?lang=en>, accessed on 29 May 2017.

[27] European Data Protection Supervisor, “The EU’s independent data protection authority”, < https://

edps.europa.eu/data-protection_en>, accessed on 29 May 2017.

[28] Ieuan Jolly, “Data Protection in the Unites States: Overview”, < https://uk.practicallaw.thomsonreuters

.com/6-502-0467?transitionType=Default&context

Data=(sc.Default)>, accessed on 29 May 2017.