After intense deliberations of the revised Data Protection Act during Parliament’s Autumn Session, the two chambers agreed on the final version of the law in the course of a Conciliation Committee discussion. Subsequently, the revised law was adopted by both chambers on Friday, 25 September 2020.
The parliamentary debate on the revision of the Data Protection Act (revFADP) was concluded during the Autumn Session. The National Council discussed the new law on 17 September 2020. The Council of States held its deliberations on 23 September 2020. On 24 September 2020 both chambers deliberated the Conciliation Committee’s proposal. The final vote took place on 25 September 2020.
What was the subject of the final parliamentary deliberations?
The two chambers entered the deliberations with two major points still open:
First, the National Council aimed at defining a 10-year period for which data concerning credit worthiness may be retained. Opposed to this, the Council of States proposed that data may only be used for such purposes for a maximum of 5 years. However, as the National Council’s position remained firm, the Council of States followed the National Council and a 10-year period was adopted during the ordinary deliberations.
Second, the differentiation between profiling and high-risk profiling was heavily debated and put the adoption of the law at risk. The concept of high-risk profiling introduced by the Council of States aims at maintaining the level of protection that is provided by the current data protection law. The concept of high-risk profiling was also supported by Federal Councilor Karin Keller-Sutter. The National Council opposed this differentiation because it does not exist in European Law (GDPR) and is thus considered a “Swiss Finish”. As the two chambers did not come to an agreement during their deliberations, a Conciliation Committee was convened as a last resort. Federal Councilor Karin Keller-Sutter urged the two chambers to come to an agreement and pointed out that failing of the law would be prejudicial to Swiss companies since for any cross-border data transfer from the EU they would have to prove they met the level of data protection set by European law on a case by case basis.
Ultimately, the two Councils adopted the law proposed by the Conciliation Committee on Friday, 25 September 2020. The final text maintains the concept of high-risk profiling and provides that if consent is required for high-risk profiling, it must be given explicitly. Interestingly, the non-conclusive list of data processing activities which result in a high risk for data subjects and thus require a data protection impact assessment does not explicitly list high-risk profiling (Art. 22 Para. 2 revFADP). However, as high-risk profiling poses high risks for the data subjects as per its definition, meaning that a data protection impact assessment should be conducted for this type of processing as well (cf. Art. 22 Para. 1 revFADP).
As a minor and third point of discussion, the National Council followed the Council of State’s proposal according to which all genetic data is considered sensitive personal data.
When will the law enter into force and how should organizations prepare themselves?
With the law having passed on 25 September 2020, the referendum period will end in January 2021. As prior to the FADP entering into force, the Federal Council needs to prepare and enact the corresponding ordinance, the revised law will presumably not become effective before 1 January 2022.
Organizations ought to consider that the final version of the law does not contain any noteworthy transition periods. Consequently, the remaining time to implement the extensive new requirements for processing personal data is short. As a first step, we recommend implementing the record of processing activities as one of the first key requirements (Art. 11 revFADP). Having a clear overview of what personal data is processed for which purposes is the cornerstone for implementing the remaining requirements such as information notices, data minimization and data deletion processes, collection and management of consent, privacy by design and privacy by default, data protection impact assessments as well as other new processes for communicating with data subjects and the Federal Data Protection and Information Commissioner, etc.
We will keep you informed about any further developments regarding the revised Data Protection Ordinance and the date of entry into force of the new law. We remain at your disposal for any non-committal discussions on how the revFADP impacts your organization.