30 years after the entry into force of the Federal Act on Data Protection (FADP; SR 235.1), the Federal Data Protection and Information Commissioner (FDPIC) published its 30th activity report in a media release dated 26 June 2023. In just under two months, the completely revised version of the FADP will enter into force, which will provide the federal data protection supervisory authority in particular with new instruments in order to “meet the legitimate expectations of the population for robust protection of their privacy and informational self-determination in accordance with the rule of law in a contemporary manner” At the same time, the FDPIC announces in its media release that it will intensify its supervisory activities once the revised FADP enters into force and even gradually increase the number of formal investigations. The following article outlines the challenges currently faced by the FDPIC, the extent to which these are relevant to companies in particular, and the other challenges the FDPIC has had to face in the course of its activities.
Keyword: Digital responsibility as entrepreneurial self-responsibility
In connection with the digital transformation as a phenomenon affecting society as a whole, every data processor or person responsible is exposed to new risks, which is why, in the view of the FDPIC, “digital responsibility is henceforth part of good management”. Compliance with the Data Protection Act is part of this responsibility. With the revised FADP, data controllers are obliged to take a “proactive approach”, whereby the law offers new instruments, in particular for establishing transparency, trust and credibility vis-à-vis the data subjects. There need not be zero risk in the processing of personal data, but with the new instruments, data controllers can identify, mitigate and take responsibility for residual risks, thus guaranteeing the privacy and informational self-determination of all data subjects. Proactive thinking is also required in technical security, in particular to counter cyber attacks with forward-looking measures.
The limits of digital self-responsibility
With the revised FADP, however, the legislator has also set a limit to the digital self-responsibility of data controllers: if it becomes apparent during the implementation of a project that the future processing of personal data is potentially associated with a high risk, the new FADP obliges the company or data controller to carry out a so-called data protection impact assessment (DPA) in order to determine the emerging risk more precisely and to take the necessary protective measures. If the risk of processing remains high even after the protective measures deemed appropriate have been implemented, the new FADP requires the FDPIC to become involved – the DIA must be submitted to the FDPIC for review. But beware: the FDPIC expressly states that the subsequent opinion of the FDPIC is not to be regarded as “approval” of the planned project! If a responsible party refuses to comply with important objections or suggestions from the FDPIC, the latter can take supervisory action, i.e. even open an investigation and, if necessary, order a ban on processing. According to its announcement, the FDPIC will intensify precisely this supervisory activity and increase the number of investigations.
According to the published activity report, the FDPIC faced a number of challenges in the area of data protection in the course of its activities in 2022/2023. Those that may be of particular interest from the perspective of companies are discussed below by way of example:
Data processing within the framework of certified systems
Together with the revised Data Protection Act, the new Ordinance on Data Protection Certification (DDPS; SR 235.13) is due to come into force on 1 September 2023. The FDPIC advised the Federal Office of Justice (FOJ) on the legislative work on the new FDPIC and comments on the handling of data processing from certified systems in the context of the activity report. Data protection certification means that data controllers are not required to carry out a DPA even if there is a high risk to the personality of the data subjects, and it is possible to (simply) document compliance with data protection legislation. The certification of (management) systems goes beyond the possibilities of the European data protection certification. These only cover products, services and processes. Foreign certifications that meet Switzerland’s requirements are recognised, as are certification bodies that cooperate with the Swiss Accreditation Service (SAS). Data protection certification is seen by the FDPIC as a significant means of promoting data protection and transparency in Switzerland.
Federal Supreme Court rules against the right to information of third parties in international tax administrative assistance
In 2019, the Federal Administrative Court upheld an appeal by the FDPIC which demanded that in international tax administrative assistance, persons not affected by the request for administrative assistance, i.e. third parties, should also be informed in advance if their name is to be transmitted to the requesting foreign authority without being redacted. This duty to inform should give third parties the opportunity to defend themselves against the unlawful transfer of their data. The Federal Tax Administration (FTA) appealed against this ruling to the Federal Supreme Court. In December 2021, the Federal Supreme Court changed its practice in favour of the FTA and overturned the earlier ruling after it had issued a landmark decision in another matter (BGE 146 I 172). Instead of complying with a general duty to inform, only those third parties must be informed where the right to appeal is virtually obvious on the basis of the files. The Federal Supreme Court denied a general prior duty to inform, which the FDPIC demanded, and referred to the statutory regulation in the Tax Administrative Assistance Act, which contradicts this approach. Thus, at least from the perspective of data protection law, the possibility to defend oneself against an impending data transfer seems to have been massively restricted.
Preliminary clarification due to cyber attacks
At the end of November 2022, the hosting provider Infopro AG fell victim to a cyber attack, as a result of which business customers temporarily lost access to the cloud application and to the personal data stored in the cloud. As a result, the FDPIC opened a preliminary investigation. In order to quickly clarify the facts and examine the requests received, contact was made with the company concerned. In particular, it was necessary to verify statements according to which customers had gained access to data of other customers due to a security vulnerability in the software. In the course of the preliminary investigation, the company was confronted with a comprehensive duty to cooperate, such as questionnaires. In addition, an exchange took place with the cantonal data protection authorities (privatim) and the National Cyber Security Centre (NCSC), which acts together with the competent law enforcement authorities. With reference to the responses received, the FDPIC found that the companies had taken appropriate measures to regain control of the data and to inform the customers concerned. For the time being, the FDPIC saw no need for additional measures, as no security breach was confirmed. In this respect, it can be said that the company concerned was aware of its need for proactive action and may have been able to avoid further investigative action by the FDPIC through this self-responsible action.
Cybersecurity: Amendment of the Information Security Act (ISG)
In its activity report, the FDPIC then comments on the planned amendment of the Federal Information Security Act (ISG; SR 128). In view of the increasing number of cyber incidents involving both private individuals and companies, the Federal Department of Finance (FDF) has been commissioned by the Federal Council to draw up a legal basis for the introduction of a reporting obligation for cyber attacks on critical infrastructures. These reports are to be made to the National Cyber Security Centre (NCSC), in particular to provide it with a better overview of cyberattacks in Switzerland. In this context, the draft provides for reports to the NCSC to be exempt from the Federal Act on the Principle of Publicity of the Administration (Federal Act on Publicity; SR 152.3). This amendment was rejected by the Federal Data Protection and Information Commissioner (FDPIC), as it impaired the principle of public access and hindered the NCSC’s task as a central reporting office. Against the special provisions that were made, the FDPIC requested the withdrawal of these very provisions. The FDPIC’s request was partially met by the FDF by reducing the scope of the exception. Although this restriction was welcomed by the FDPIC, it does not go far enough. From the point of view of the companies, this development should be taken into account to the extent that they should tend to exercise restraint in their reports, as there is a risk that, on the basis of the Freedom of Information Act, information from the company can be obtained by means of an access request that is not intended for third parties.