"Swiss Finish" threatening for SMEs?

The aim of the revision of the FADP is to "increase transparency and strengthen the self-determination of data subjects over their data", writes the Federal Council in the preliminary draft law. However, there are other obvious reasons for introducing a stricter law in times of digital upheaval:

The Council of Europe is revising its data protection convention, which Switzerland has also ratified. If Switzerland were to fail to take a stance on this, it could be stripped of its status as a "safe haven", as a partner third country. The EU is also revising its corresponding legislation, which will also affect Swiss companies that do business with EU clients.

Controversy DSG
Criticism of the new law comes from all sides. Especially for small and medium-sized enterprises, much will have to change with the new legislation. Small SMEs such as advertising agencies could be rigorously obliged to inform participants in a circular or a competition after the collection of personal data - this is actually the main element of the Unfair Competition Act (UCA).

Every company, no matter how small, would have to be able to provide information about which personal data it processes and for what purpose, and who is ultimately responsible for the processing of personal data. It is said that with the revision, the Federal Council wants to increase transparency in data processing and promote citizens' self-determination over their data.

In addition, the obligations of the bodies responsible for data processing are to be expanded. For example, the draft law provides for a so-called data protection impact assessment. If a person is exposed to an "increased risk" as a result of the data collection, the data processor could be sanctioned, if not fined, by the Federal Data Protection and Information Commissioner (FDPIC).

However, the trade associations criticise the stricter provisions in the context of "data impact assessment" and "increased risk". Company information officers would have their backs to the wall if they were not allowed to link personal customer data with other customer preferences - or could be held responsible for any data collection.

It must be possible to submit any results of the data impact assessment to the data protection officer or FDPIC. Critics of the new law see an immense additional burden that will be imposed on smaller companies. The Swiss Trade Association, which is "generally questioning" the revision, is very firm: "In principle, the expansion of documentation and reporting obligations provided for in the draft is disproportionate.

Differentiations
Advocates of the new DPA come per se from the side of data protection and consumer protection. However, privatim, the association of Swiss data protection commissioners, also makes an explicit distinction between the revision and the current DPA. privatim points out that some points on the data protection provision in the revision are formulated too vaguely:

For example, the new laws apply to private data processors ("private individuals") as well as to public bodies ("federal bodies").

The commissioned data protection experts therefore recommend that data protection under private and public law be standardised in two laws. Such a division would have to comply with the principle of legality under Art. 5 para. 1 of the Federal Constitution (see Principles of the Rule of Law) and privacy under Art. 28 of the Civil Code (see also Civil Rights).

Nevertheless, the data protection authorities point out (see opinion of 9 March 2017) that for the operational fulfilment of tasks, e.g. for the data protection impact assessment, "considerably more resources", with "a maximum of one or two posts" would have to be expected for this.

Comments
Even lawyers are sounding the alarm about a sanctions system in which individual employees - for example in the advertising and data processing industries - could face harsher sanctions. The trade association Swico, the association of Swiss ICT providers, has also formed a sub-commission and taken a stand:

"The deadline of six months for the approval of Binding Corporate Rules by the FDPIC is far too long, impracticable and leads to great legal uncertainty. Here, the previous regulation of 30 days should be used," Christa Hofmann, Head of Legal & Public Affairs at Swico, also explains that the current data protection law has accompanied the digitalisation of Switzerland in the best possible way and has fulfilled its purpose.

The lawyer also believes: "Newly introduced or extended obligations that go beyond the level of European data protection harmonised by the GDPR as a 'Swiss Finish' are to be rejected". According to the Swiss business association, the circle of employees potentially liable to criminal prosecution could be restricted from the outset by contracts (in accordance with Art. 29 StGB). In any case, this "Swiss Finish" is too strict as far as the future economic compatibility of Swiss companies is concerned.

"The risk assessment in the context of new innovations in the data economy would always have to be carried out in the light of possible criminal prosecution of the employees of the corresponding companies, which does not exist in this way in other European countries," emphasises the SDV Swiss Dialogue Marketing Association.

Swiss Finish too strict
If the GDPR were implemented as proposed, the Swiss economy and especially domestic SMEs would be at a locational disadvantage. Such a "go-it-alone" approach could disadvantage the innovative strength and innovative potential of the digital economy in Switzerland, especially Swiss SMEs. For this reason, "KS/CS Kommunikation Schweiz" also rejects the official draft.

The Data Protection Act should only be revised to the extent that international requirements make it mandatory. The umbrella organisations strictly reject any "Swiss Finish" going beyond this (particularly serious in the area of "profiling" and the "system of sanctions"). Such a catalogue of penalties would be futile in practice.

Until the consultation on the revision, which is to be decided in parliament at the end of 2017, a lot of data will still flow through Swiss servers. In order not to leave the monitoring of data protection compliance solely to the Federal Data Protection and Information Commissioner (FDPIC) or the companies concerned themselves, some politicians could imagine that the "Swiss Finish" could take this official route:

Any intensive data processing would involve an external data audit similar to a financial audit or otherwise an operational data protection officer (similar to a Chief Information Officer).