On 21 December 2016, the Federal Department of Justice and Police published a draft bill of the revised Swiss Federal Data Protection Act (FDPA). The proposed amendments are intended to adapt the existing law so as to align it with old and new developments on the European level, in particular the amendments introduced into European law by the General Data Protection Regulation (GDPR), which will apply from 25 May 2018, replacing Directive 95/46/EC, and the protocol for the revision of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) to be adopted by the Council of Europe in early 2017. The impact of the GDPR in Swiss companies can be found on the MME website.

Revisions to the FDPA include[1]:

1. Geographic scope The FDPA has already been interpreted by Swiss courts to apply to data processing activities outside of Switzerland that have notable effects in Switzerland (“effects principle”). The GDPR explicitly extends the geographic reach of EU data protection law by applying EU law to activities of controllers and processors established in the EU even if the processing takes place outside the EU, and to processing activities of controllers and processors not established in the EU that are related to the offering of goods or services to the relevant data subjects in the EU or to the monitoring of the behaviour of individuals taking place within the EU.
2. Substantive scope According to the draft revised FDPA, the substantive scope shall be limited to data concerning individuals (natural persons) and shall no longer cover personal data of legal entities (corporations). A particularity of Swiss law without counterpart in EU law, it had little practical effects but caused many furrowed brows. The FDPA’s definition of sensitive personal data shall be extended to biometric and genetic data, in compliance with the GDPR.
3. Qualification of the consent The draft revised FDPA adds to the existing consent requirement that the consent must be given “unambiguously”. The consent for the processing of sensitive personal data shall be – in the French and Italian versions – exprès and espresso, thereby making clear that such consent can also be given implicitly by a clear affirmative action, all in line with the GDPR. Already under the existing FDPA, consent should cover all of the purposes for which the data are being processed, so that a later processing for a purpose originally not recognisable for the data subject is not permitted without new consent, in line with the GDPR.
4. The data subject’s right to information and to be forgotten The draft revised FDPA aims at strengthening the individual’s rights and increasing transparency. In particular it requires ay federal body and private person to inform the data subject when collecting any category of personal data, not just sensitive personal data. In compliance with the GDPR, the FDPA shall explicitly regulate the obligation to delete personal data when the original purpose for processing the data no longer justifies their retention, and shall give the data subject an explicit right to have them deleted.
5. The right of the dead According to the draft revised FDPA, anybody who can show a legitimate interest shall have access to the personal data relating to a deceased person, whereby such legitimate interest is presumed for children, grandchildren or parents of the deceased person or their spouses, registered partners or de facto spouses.
6. Automated individual decision-making The draft revised FDPA, in compliance with in the GDPR, requires information and consultation when a controller takes a decision solely on the basis of automated data processing without human intervention or evaluation, which produces legal effects for or significantly affects the data subject. Such information and consultation can also be carried out retroactively.
7. Data protection by design and by default The draft revised FDPA as well as the GDPR provide that the controller shall implement appropriate technical and organizational measures to reduce the risk of violations of personality or fundamental rights and prevent such violations (so-called privacy by design) and for ensuring that, as a standard, only personal data which are necessary for each specific purpose are processed (so-called privacy by default).
8. International data transfer The FDPA continues to allow the transfer of personal data only to countries with an adequate level of data privacy protection. The Federal Council shall be competent to attest bindingly the adequacy of protection of a specific country. If there is no adequate foreign protection, data may still be transferred on the basis of international treaties, individual contractual agreements previously notified to the Commissioner, approved standardised safeguard, or approved internal data protection regulations that apply to all of the transferring and receiving entities.
9. Extended duties and powers of the Commissioner According to the draft revised FDPA, the commissioner’s powers to supervise compliance with the FDPA shall be extended to all private persons and shall not be limited to specific cases. The commissioner also shall be enabled to render administrative decisions binding for the parties, but he or she shall still not have the power to impose fines and other penalties. Also under EU law, the supervisory authority is given broader responsibilities.
10. Administrative fines and penalties According to the draft revised FDPA, the penal provisions shall be extended. This shall be in compliance with the GDPR with the exception that the supervisory authority has the investigative power to impose administrative fines and that it is up to the member states to lay down the rules on other penalties applicable to infringement of the GDPR. The maximum amount of fines is increased to CHF 500,000, and violations of the duty of professional confidentiality may be sanctioned with imprisonment of up to three years or a monetary penalty of up to CHF 1,080,000. In the case of violations committed within a business undertaking, the law enforcement authorities may either prosecute the responsible persons or instead condemn the company to pay the fine.

Obligations under the new FDPA[2]:

1. Privacy by design: Data controllers and data processors shall undertake reasonable measures to design their processing activities in a manner that reduce and prevent privacy risks.
2. Privacy by default: Data controllers and data processors must pre-configure their software so that by default it processes only as much personal data as is necessary for the purpose of processing. Automated decision-making. Data subjects must be informed if they are subject to a decision that is made solely by automatic processing of personal data and which has a legal effect on the data subject or otherwise significantly affects the data subject. The data subject has a right to be heard in relation to the decision and the personal data that was processed to reach that decision.
3. Data protection impact assessments: Data controllers and data processors must perform data protection impact assessments if the contemplated processing activities likely result in a high risk for the privacy or human rights of data subjects. Results of such assessments need to be communicated to the data protection authority.
4. Data breach notifications: Data controllers and data processors shall immediately notify the data protection authority of any unauthorized processing or loss of personal data unless the data breach is unlikely to result in a risk for the privacy or human rights of data subjects.

Implications for Blockchain Related Activities

The new GDPR in Europe, as well as the FDPA will have consequences for blockchain related activities. Among other things this will include a right to know how their data is being used, and a right to be “forgotten” by having their data removed from a platform. The regulation applies to any entity, no matter where it is located, that deals with the personal data of citizens of the EU (as well as Switzerland, which is enacting similar rules). This could cause problems for blockchain projects in which personal data goes on chain. Because blockchains are immutable, for instance, data can’t easily be erased[3].

SOURCES

[1] Information quoted from Lexology

[2] Information quoted from Baker McKenzie

[3] Information quoted from Crypto Valley