Following a two-year transition period, the European General Data Protection Regulation "GDPR" will be ratified on 25 May 2018. Although the Swiss Federal Council published the revised draft of the Swiss Data Privacy Law on 15 September 2017 it is not expected to be ratified until 1 August 1 2018.
What do these changes to the legislation mean for Swiss enterprises and what are the resulting risks concerning the handling, storage and processing of data?
Swiss Data Protection Act - Draft
While the European Union regulation will become effective in a few months, the Swiss Federal Council has published a draft to revise the Swiss Data Protection Act.
With regard to potential new or enhanced risks, the current version of the draft encompasses some paragraphs that require careful consideration. The draft act offers a risk-based approach that distinguishes between "high risk" and "low risk" activities. Furthermore, the draft act requires the responsible person(s) to assess potential risks regarding privacy breach within a formalised process.
Prior to the Swiss act coming into effect, the EU-wide GDPR is due to be ratified on 25 May 2018.
What does the EU regulation mean for companies domiciled in Switzerland?
As the geographical reach of the regulation expands, not only EU companies are subject to the regulation but Swiss organisations might also be affected: If they either offer goods or services to individuals domiciled in the EU or monitor behaviour of individuals in the EU, the regulation will de facto apply.
For example this applies to processing and storing data that is subject to EU law (i.e. personal data of EU citizens), and regardless of whether the data is being treated for marketing purposes or to register an existing client relationship.
However, as Switzerland is outside the EU, the applicability of GDPR would be via its extraterritorial scope. This scope captures entities outside the geographical EU that are offering services as explained above. As this regulation has yet to go into effect, is it unclear as to how the EU intends to pursue regulatory inquiries and sanctions against entities in Switzerland. There is further a question as to what will happen with subsidiaries domiciled in the EU. Sanctions not only include fines of up to 2% or 4% of worldwide turnover but also the possibility of a permanent ban on certain data processing activities, which in practice could even lead to the closure of certain businesses.
From a risk manager's point of view this means that the enforceability and severity of measures will be significantly increased by the new regulation in the EU. Companies will be required to ensure compliance with effect from May 2018 and to ensure that the notification provisions to the relevant authority are adhered to (within 72 hours). By identifying and assessing the exposed assets, organisations will be able to take a risk-based decision on how to control and manage the remaining financial risk.
Focus on EU General Data Privacy Regulation
Until the mid-1990s, the data protection laws of EU member states were largely unharmonised. This meant that businesses operating in the EU faced different compliance obligations depending upon national legal requirements.
In 1995 the EU introduced Directive 95/46/EC which created a broadly consistent set of data protection laws for the EU.
The directive (like any EU directive) needed to be transposed into the national laws of member states. Consequently, although the general principles of data protection law are similar across the EU, there remain differences between the laws of each member state and so businesses continue to face conflicting requirements. Furthermore, the various EU member states have taken divergent approaches to implementing the directive, creating compliance difficulties for many businesses.
Since 1995, there has been significant advancement in information technology and fundamental changes to the ways in which individuals and organisations communicate and share information. Data in itself has become an increasingly valuable asset for many businesses. The volume of data routinely collected and used by organisations greatly exceeds what could only have been imagined in 1995.
The explosive growth of social networking and big data analytics (among other things) highlighted the fact that the existing law is outdated and that a new approach to data protection is required, leading to the European Commission publishing its first draft of the Regulation in 2012.
The key changes
Challenging for businesses
- Increased enforcement powers
- New obligations of data processors
- Expanded territorial scope
- Consent, as a legal basis for processing, will be harder to obtain
- Privacy by design and by default
- Strict data breach notification rules
- The ‘right to be forgotten’
- The right to object to profiling
- The right to data portability
Positive for businesses
- Greater harmonisation
- Risk-based approach to compliance
- The ‘one-stop shop’
- Binding corporate rules
The purpose of the new regulation
The purpose of the Regulation is to further harmonise national data protection laws across the EU, strengthen the obligations on those who use personal data, and enhance individuals' rights. At the same time, new technological developments are taken into account.
The Regulation will be directly applicable across the EU, without the need for national implementation. Businesses are likely to face fewer national variations in their data protection compliance obligations. However, there remain areas in which there will continue to be differences from one member state to another.
What happens next?
The EU Parliament voted to adopt the Regulation on 14 April 2016. Once published in the Official Journal, there will be a two year implementation period, with the Regulation coming into force May 25, 2018.
Data protection will become a significant compliance risk for organisations along the same lines as antitrust issues, with significant regulatory sanctions. Under the Regulation, data protection will no longer be an area in which businesses can afford to take casual risks.
The Regulation is likely to require company wide changes for many businesses. Organisations should start to consider the impact of those changes now, and begin to work towards compliance. It is already clear that some changes will take time to embed within businesses, and others may require significant change to existing processes. As a first step, businesses need to take stock of their existing data assets and compliance profile, and then systematically assess how the Regulation will impact existing compliance. For most organisations, this will be a sizeable project. Organisations in the UK, which until now have enjoyed a light touch data protection regime, arguably will have the most to do to prepare for data protection under a harmonised regime.