What is the New Federal Act on Data Protection (nFADP)?
Switzerland's updated legislation regarding data protection will come into effect on September 1, 2023. The new Federal Act on Data Protection (nFADP) is a revised version of the original FADP, which was initiated in 1992.
The proliferation of smartphones, internet connectivity, IoT devices, social networks, and cloud-based applications and infrastructure in Switzerland were the primary reasons behind revising the old FADP.
The digital era calls for redefined security measures, data privacy initiatives, regulatory frameworks, compliance requirements, data consent requirements, enforcement mechanisms, and penalties and fines.
The most significant improvements that the nFADP brings include the duty to provide information, the right to information, the right to erasure, data protection impact assessments (DPIA), freedoms of self-regulation via data protection advisors (DPAs), the right to data portability, FDPIC (Federal Data Protection and Information Commissioner) role updates, and increased penalties for crimes involving data breaches and the intentional abuse of consumer rights and personal information.
Any public or private organization, Swiss or foreign that processes data that relates to or influences Switzerland comes under the jurisdictional scope of the nFADP and needs to abide by these laws.
Enterprises need to be fully informed about the nFADP, the exact nature of its revisions from its previous 1992 iteration, the key differences between nFADP and General Data Protection Regulation (GDPR), and the resulting advantages of storing data in Switzerland.
The nFADP's main areas of revision
Coverage and sensitive data redefined
One of the most significant revisions in the nFADP is that it only covers natural persons, meaning all juristic entities like foundations and associations are excluded. The nFADP has also broadened its definition of sensitive data by including biometric and genetic data.
Privacy-by-design and privacy-by-default principles
The newly introduced principles "privacy-by-design" and "privacy-by-default" states that companies need to fold in data protection principles and user security at the earliest design stages of applications. This means that hardware, software, and services will be configured and developed to elevate and prioritize data protection.
Privacy-by-Design ensures that data privacy mechanisms are built into any application that collects sensitive data. Privacy-by-Default enables high degrees of security and data protection as soon as an application is deployed, with no explicit action or intervention required from the user.
Transparency is at the center of the nFADP's objectives. The nFADP enforces the duty to inform data subjects of data collection. Previously, only sensitive data collection was deemed worthy of being reported. The new revision states that data subjects must be informed irrespective of the nature of the collected data.
Data controllers and data processors
The nFADP has excluded terminology and phrasing such as "personality profile" and "controller of the data file" and introduced the new terms "data controllers" and "data processors." Data controllers are entities that decide how and why certain data should be processed. Data processors are entities that process data for data controllers.
nFADP states that data controllers must conduct privacy impact assessments if any data processing may potentially carry a lot of risk for the data subject. Data controllers should ensure that only optimal volumes of personal data are collected and processed, a principle known as data minimization.
Register of processing activities
The new law also states that having a register of processing activities is compulsory. Companies with less than 250 employees are exempt from this rule as their data processing isn't considered high-risk.
Data protection advisor
nFADP states that companies have the option to hire a Data Protection Advisor, a role also known as Data Protection Officer. It is also mandatory under the new law for foreign companies with significant business activities in Switzerland to hire a Swiss representative.
Data controllers are ordered under nFADP to quickly notify the FDPIC (Federal Data Protection and Information Commissioner) of any data breach or cybersecurity incident that may have compromised individuals' fundamental rights and digital privacy. In some instances, these individuals need to be notified by the data controllers as well.
Key differences between nFADP and GDPR
The nFADP isn't designed to distance data protection from the EU's GDPR. It's designed to align with GDPR. Companies must abide by both laws, and that’s why they must understand the key differences between them.
The nFADP states that hiring a Data Protection Advisor is highly recommended but not compulsory. The GDPR, in Article 37, "designation of the data protection officer," states that hiring a Data Protection Officer is a mandatory obligation under certain circumstances.
Data breach reporting
The GDPR required companies to report data breaches to an EU supervisory authority within three days or 72 hours. The nFADP, which also prioritizes the reporting of data breaches, is less stringent with the time period and states that data breaches should be reported as soon as possible.
Penalties and administrative fines for compliance failures under GDPR are harsh. GDPR fines could go as high as €20 million, or 4% of the company's total global annual turnover. nFADP focuses primarily on responsible private persons rather than companies, and fines don't exceed CHF 250,000.
Duty to inform
nFADP data protection guidelines have fewer content requirements than GDPR, although all countries to which personal data is being transferred need to be listed. GDPR's Article 13 shares a long list of what data controllers need to provide data subjects at the time of collection, including the controller's identity and contact details, DPO contact information, reasons for data processing, potential third-party sharing, and the recipients of personal data.
Under the nFADP, the Swiss Federal Council decides on the admissibility of data exports. In contrast, under the GDPR, the European Commission, an executive institution of the European Union (EU), decides on it.
List of processing activities
GDPR's Article 30, "records of processing activities," has an exhaustive checklist of recordkeeping duties for processing activities. nFADP has a new stripped-down set of minimum information guidelines, updated with the specifications of various target countries for data exports.
Data protection impact assessment
The nFADP states that consultation with Data Protection Advisor/Officer or the FDPIC is an option if there's a high risk despite measures taken. The GDPR, being a stricter framework, makes it mandatory to consult with supervisory authorities and conduct a data protection impact assessment if there's a high risk despite measures taken.
Enterprises must view Switzerland's nFADP as a necessary change. The additional and redefined governance and the prioritization of data protection make Switzerland the ideal country to store data.
Switzerland's data protection and privacy levels are unparalleled, and the benefits of using it as a data storage hub are multifold. Furthermore, Switzerland's political stability, multilingual capabilities, perfect geographic location and proximity to major economic hubs, robust legal foundations, powerful IT infrastructure, and reputation as a highly competitive nation make it an attractive data storage location for companies.
Organizations operating within Switzerland must follow a stricter set of rules and regulations. However, in a world centered around data, such high degrees of compliance and safety can help global enterprises become leaders in the fields. Therefore, legislation updates like nFADP are not deterrents. They are the foundation of a data-driven future.