DATA PROTECTION IN SWITZERLAND

CHALLENGES DATA PROTECTION

10 Jan 2017 DATA PROTECTION IN SWITZERLAND

DATA PROTECTION IN SWITZERLAND

 

PART 3: CURRENT CHALLENGES FACING DATA PROTECTION

 

The improvements experienced by businesses and individuals as a result of the advent of the internet are enumerable and have permeated every facet of life in Switzerland. One result of the influence of the internet has been that data is much more freely exchanged between parties and across borders, whether it be by way of document-sharing programs, subscribing to online stores or outsourcing aspects of one’s business activities to an entity overseas. This presents a significant challenge to the protection of personal data in order to ensure it is safeguarded and not abused. This newsletter will present such challenges and the way in which they are addressed by the Swiss legal system.

This newsletter forms part of a set of four publications relating to data protection in Switzerland. The first publication looked at the various laws and ordinances covering the protection of data in Switzerland (status as at mid-2015) and the second publication looked at banking secrecy, a significant area in which the protection of data is enshrined. The fourth publication, due for release later in 2017, will compare the Swiss legal framework for protecting data with the systems in the European Union and the United States.


Introduction

Switzerland is one of the world’s leading countries in the use of information and communication technologies; 100% of businesses in Switzerland are dependent upon internet infrastructure, the highest rate among the Organisation for Economic Cooperation and Development.[1] At the same time, it is a country that has established itself as a leader in internet governance and has been a driver in a number of international and regional summits and forums to reform internet governance.[2]

Although Switzerland is one of the countries in the world that generates the least amount of cybercrime, the cross-jurisdictional nature of such crimes necessarily becomes an issue for all countries, including Switzerland. However, the challenges that the internet poses for data protection and the general protection of property must be balanced by legislators against the risk of intruding too much and consequently stemming innovation. [3]

Currently, the bulk of the legal framework in Switzerland that defines the limits with respect to the use and transmission of personal data is found in the Swiss Federal Act on Data Protection of 19 June 1992 (“Data Protection Act”).

The Data Protection and Information Commissioner (“Commissioner”) is the authority in Switzerland that supervises the private and public spheres with respect to data protection issues.[4] The Commissioner publishes non-binding, explanatory guidelines to assist in providing legal certainty with respect to specific matters affecting data protection in Switzerland.

This publication will list a number of significant trends that potentially pose a problem in the protection of data, as well as setting out the Swiss legal framework that currently addresses each challenge.

Transfer of Data Overseas

Issue

A State can have a sufficient legal and practical framework to protect its residents’ data, however the nature of the internet allows the transfer of such data very easily. This can be from one local government department to another, as well as from one private entity in Switzerland to another private entity overseas. It is therefore essential that local laws govern the transfer of data outside its jurisdiction, so as to ensure that safeguards are in place for the protection of residents’ data once moved out of the country.

Protection under Swiss Law

Article 6(1) of the Data Protection Act prohibits personal data from being disclosed abroad if the privacy of the data subjects “would be seriously endangered thereby, in particular in the absence of legislation that guarantees adequate protection.” If legislation in the State receiving the data does not exist, or if any such legislation does not sufficiently protect data, personal data can only be disclosed in the following circumstances:

·           if sufficient safeguards, particularly contractual clauses, ensure adequate level of protection abroad and if the Commissioner is informed of such safeguards;

·           if the data subject has consented in the specific case;

·           if the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;

·           if disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;

·           if disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;

·           if the data subject has made the data generally accessible and has not expressly prohibited its processing; or

·           if disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection and the Commissioner must also be informed of such data protection rules.[5]

Such exceptions to the prohibition on disclosing data overseas allows organisations to do so where the laws of the receiving State do not provide for strict protection of the data in its legislation but alternative practice in that State does provide against serious danger to the privacy rights of the person or entity concerned. The Commissioner also keeps a list of countries that it has determined boasts an adequate level of protection for individuals’ data in legislation. The currently published list was last updated on 2 May 2016.[6]

Assigning Data to Third Parties

Issue

It is becoming more common for entities to outsource part of their activities, whether to ensure that a task is completed with the level of specialty required, to increase efficiency, or for a variety of other reasons.[7] When data is transferred to the third party in the course of such outsourcing of activities, it is equally important that the data transferred by the original, instructing party be protected by the third party.

Protection under Swiss Law

Article 10a of the Data Protection Act states that personal data may only be assigned to third parties by agreement or law if all of the following conditions are fulfilled:

·           if the data is processed only in the way permitted for the instructing party itself;

·           if it is not prohibited by a statutory duty of confidentiality; and

·           the instructing party must ensure that the third party guarantees data security.[8]

There currently exists no prima facie requirement that the instructing party (who initially receives the data) notifies the data subject of any such outsourcing. The Data Protection Act does set down particular circumstances in which the instructing party must declare their assignment, such as when private persons regularly disclose personal data to third parties[9]. Additionally, anyone who processes personal data must not disclose sensitive personal data or personality profiles to third parties without justification.[10]

To the extent that the sub-contractor is overseas, the provisions listed in Article 6 of the Data Protection Act (summarised above) must also apply. The Commissioner’s website provides a model “standard contract for the trans-border outsourcing of data processing” which can be used to better protect both the instructing party and the third party in outsourcing activities.[11]

Banks, Securities Dealers and Insurance Companies

Certain industries are also restricted in the manner in which outsourcing can occur with respect to data. FINMA, Switzerland’s financial market supervisory authority, has revised its 2008/7 Circular with respect to outsourcing of services. The draft revised circular will now apply not only to banks and securities dealers but also to insurance companies.

An agreement which sets out security measures must be executed between the bank, securities dealer or insurance company for any important outsourcing in respect of security, such as IT.[12] Otherwise, any outsourcing must be based upon a written agreement.[13] Outsourcing overseas requires the service provider to fulfil a number of stringent requirements.[14]

The draft, revised circular is now in the consultation period, which is due to end on 31 January 2017.

Cloud Computing

Issue

Cloud computing allows the user to access software, memory capacity or computer power via a network as and when needed.[15] Cloud storage systems can be publicly available to individuals and companies based on a subscription basis, such as the Apple iCloud or DropBox. Entities can have their own, segregated cloud which holds the data belonging to that entity. Increasingly, Swiss organisations such as banks are also providing a cloud service to their clients.

The advantages of such a system are obvious and do not need to be listed here; however, there are also issues regarding the protection of data kept in the “cloud” which should be taken into account before an individual or entity decides to migrate its data onto the cloud.

Protection under Swiss Law

Unless the cloud is processed by the entity or individual holding personal data, the use of a cloud to hold personal data in Switzerland will generally otherwise fall within the category of data processing by a third party, and the instructing party will have to comply with the requirements of Article 10a as set out in the Section above relating to outsourcing. In other words, the cloud service provider must fully comply with data protection laws.[16]

The cloud user must also make sure that the cloud service provider protects personal data with appropriate technical and organisational means against unauthorised interference, and maintain the confidentiality, availability and integrity of such data.[17] Where the cloud service provider is overseas, the provisions mentioned above regarding transfer of data overseas must be upheld as data will be moving from the Swiss territory.

Cookies

Issue

“Cookies” is a term used to describe a type of message that is given to a web browser by a server, the purpose of which is to identify users and to save information about that user.[18] Information that a user enters into a website will be stored and sent to the browser, which then stores the information for use at a later time. We are familiar with cookies that store our email address for regular use on a website, authentication cookies which allow us to sign in additional times without having to re-enter the details, or even cookies that remember what browsing activity we undertook in an online store.

Users must be able to decide whether they want cookies to be collected, as the information collected invariably includes personal data which, in the wrong hands, can result in identify theft and a range of cybercrimes.

Protection under Swiss Law

For almost a decade, Swiss law has protected consumers against overly aggressive “cookie” techniques through enacting Article 45c(b) of the Federal Telecommunications Act of 30 April 1997 (“Telecommunications Act”). This Article states that cookies are only permitted “if users are informed about the processing and its purpose and are informed that they may refuse to allow processing”. In this regard, Switzerland follows what is known as the “opt out” rule.[19]

Additionally, should sensitive personal data or personality profiles be collected through the use of cookies, the provisions of the Data Protection Act relating to consent are triggered and must be followed.[20]

Next Steps

Although the Swiss legal system deals with each of the challenges presented above, there exists a significant issue that Swiss authorities cannot independently tackle; that is, the very cross-border nature of the internet means that infringers of data protection laws might not be as easy to identify and penalise. For instance, how can Switzerland have the clout required to protect data collected by major internet services such as Google and Facebook? In this regard, Switzerland should continue to actively participate in international dialogues to ensure that legal frameworks are applied on a regional and international basis.[21]

As at the time of publishing this article, the Federal Council has published a “pre-draft”, revised Data Protection Act, which will see Switzerland fulfilling the conditions to be able to ratify the recent Council of Europe “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”. The amendments to the Act will also allow the Swiss position to be aligned with the European Union’s “General Data Protection Regulation 2016/679”.[22] Such amendments are seen as essential in order for the European Union to continue to view Switzerland as a State that boasts an appropriate level of protection of data, in order to allow exchanges to continue.[23] This shall be discussed in more detail in the fourth and final instalment of lecocqassociate’s publications on data protection, to be released later in 2017. In an effort to strengthen the protection of data outside the realm of a direct relationship between the instructing party and the data subject, the pre-draft, revised Data Protection Act currently contains stricter requirements for the transfer or personal data overseas as well as with respect to outsourcing (and particularly the requirement to notify the data subject of outsourcing). It will be interesting to see whether such amendments remain in the final, revised version of the Act.

Finally, the Telecommunications Act will also soon see a revamp, as the Federal Department for the Environment, Transport, Energy and Communication is due to release a draft, revised Telecommunications Act in September 2017.[24] It does not seem at this stage that Article 45c(b) of the Telecommunications Act will be affected by the revision.

Notre Expérience

lecocqassociate fournit une gamme complète de conseils dans les domaines de la règlementation financière, du corporate, ainsi que dans le domaine des affaires en relation avec la structure et l’incorporation de diverses entités.

Le contenu de cette newsletter a uniquement un but informatif et ne peut pas être assimilé à un avis ou conseil professionnel. Pour toute question, contactez Me Dominique Lecocq (moc.e1503215902taico1503215902ssaqc1503215902ocel@1503215902lrd1503215902).

 

[1] Directorate of Political Affairs, Politorbis (Revue de politique étrangère), “Switerland and Internet Governance: Issues, actors and challenges” No. 57, 2/2014, pages 5 and 15.

[2] Such involvement by Switzerland includes its role during the World Summit of the Information Society, its support of the Internet Governance Forum and its involvement with the European Dialogue on Internet Governance.

[3] Directorate of Political Affairs, Politorbis (Revue de politique étrangère), “Switerland and Internet Governance: Issues, actors and challenges” No. 57, 2/2014, page 9.

[4] Edition 2 (November 2015),The Privacy, Data Protection and Cybersecurity Law Review, “Chapter 24: Switzerland”, Jürg Schneider and Monique Sturny, edited by Alan Charles Raul, at page 315.

[5] Articles 6(2) and (3) of the Data Protection Act.

[6] Federal Data Protection and Information Commissioner, « Transborder data flows », <https://www.edoeb.admin.ch/datenschutz/00626/00753/index.html?lang=en>.

[7] See the Commissioner’s website on this matter: Federal Data Protection and Information Commissioner, “Data transfers abroad for outsourced data processing”, <https://www.edoeb.admin.ch/dokumentation/00153/00184/00189/index.html?lang=en>.

[8] Articles 10a(1) and (2) of the Data Protection Act.

[9] Article 11a(3)(a).

[10] Article 12(2)(c).

[11] Federal Data Protection and Information Commissioner, “Outsourcing: Data transfers abroad for outsourced data processing”, <https://www.edoeb.admin.ch/datenschutz/00626/00753/00969/index.html?lang=en>.

[12] Paragraph 31 of the draft, revised FINMA circular « Outsourcing – banks and insurers ».

[13] Paragraph 39 of the draft, revised circular.

[14] Paragraphs 36 to 38 of the draft, revised circular.

[15] Federal Data Protection and Information Commissioner, “Guide to cloud computing”, <https://www.edoeb.admin.ch/datenschutz/00626/00876/01203/index.html?lang=en>.

[16] Federal Data Protection and Information Commissioner, “Guide to cloud computing”, <https://www.edoeb.admin.ch/datenschutz/00626/00876/01203/index.html?lang=en>.

[17] Articles 7 8 of the Data Protection Act and Article 20 of the Ordinance to the Federal Act on Data Protection of 14 June 1993.

[18] What are Cookies and What do Cookies do? < http://www.webopedia.com/DidYouKnow/Internet/all_about_cookies.asp>.

[19] Edition 2 (November 2015),The Privacy, Data Protection and Cybersecurity Law Review, “Chapter 24: Switzerland”, Jürg Schneider and Monique Sturny, edited by Alan Charles Raul, at page 322.

[20] Walter Wyss, “Data Security and Cybercrime in Switzerland , 26 September 2016 <http://www.lexology.com/library/detail.aspx?g=7d85a979-d400-415d-9910-e30e500810e9 >.“

[21]Directorate of Political Affairs, Politorbis (Revue de politique étrangère), “Switzerland and Internet Governance: Issues, actors and challenges” No. 57, 2/2014, page 47.

[22] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

[23] Office fédéral de la justice, « Renforcement de la protection des données », < https://www.bj.admin.ch/bj/fr/home/staat/gesetzgebung/datenschutzstaerkung.html>.

[24] Le Conseil fédéral, ”Confirmation de la nécessité de réviser la loi sur les télécommunications” < https://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-63882.html>.