The Swiss government realized the need for an update to their data privacy laws and guidelines in lieu of advancements in modern technology and the revolution of AI. The update was expected to take effect on 1st of January, 2022 but was delayed to 1st September, 2023.
The new FADP aligns with European General Data Protection Regulation (GDPR) standards, while being specific to Switzerland, and aids Swiss companies to compete with other European companies in the market in offering consumer-(users)-centric data privacy and protection laws.
Broadly, here are eight focal changes to the FADP and how they affect Swiss and international organizations:
Definition of Personal Data:
Under the old law, personal data was defined as any information relating to an identified or identifiable natural person. The new law defines personal data as any information relating to a natural person, regardless of whether that person is identifiable.
Regarding User Consent:
The upgraded FADP highlights the importance of availing consent from the individuals. Organizations must convey exactly what they will use the individual user's data for, and empower the individual to choose exactly what they are consenting to.
Right to Access:
Individuals have the right to access the data organizations have on them and how they are collecting and using it, and who they are sharing it with. Individuals can also decide to alter, correct or redact information from the organization’s database if they wish so, or port it or have it be forgotten altogether.
Imposition of Severe Penalties:
In case of violations against the updated FADP, organizations could be severely fined if they are found guilty of not complying with the new standards.
Communication of Breaches:
Organizations need to be clear cut and transparent about any breaches that happen. Stakeholders of the company would need to be immediately informed about the breach, along with an explanation of the type of personal breach and its likely consequences. It would also be expected of organizations to be ready with solutions to help fight the damages caused, including notifying the data subjects affected by the data breach as well.
Privacy by Design and Default:
The FADP states that the latest technology and data security measures should be one of the most essential considerations when designing applications. This approach would make applications user privacy a priority and help avoid threats and incidents related to user's data privacy. Having privacy of the user a consideration by default would ensure applications are inbuilt up-to-date as soon as they are released.
Regarding Data Protection Officers:
Organizations would be recommended to hire a Data Protection officer to monitor compliance with the new FADP and other data protection laws, and for providing advice and counsel on data protection.
Companies or organizations should encourage regular training/educational programs for their employees in order to conduct mock breaches to familiarize them with protocols to follow in case of an actual breach.
A few other minor changes would include the covering of only natural persons' data, where the definition of sensitive data would include genetic and biometric data. Data Protection Impact Assessments(DPIA) would need to be carried out if there is a potential risk to the privacy or fundamental rights of individuals. The FADP applies to all processing of personal data in Switzerland regardless of where the consumers(data subjects) are located in Switzerland or not. The act excludes processing of personal data for artistic or journalistic purposes.
How is the new FADP different from GDPR?
Here are a few key differences between the FADP and the GDPR:
The GDPR centers around organizations that offer goods and services to individuals in the EU, whereas the new FADP focuses on organizations that process the data of Swiss individuals irrespective of the location of the organization.
Violations of the GDPR would usher fines of up to 4% of the organization’s worldwide annual revenue (or € 20 million), whereas violations of the nFADP would result in fines of up to CHF 250,000.
DPO (Data Protection Officer):
The GDPR deems hiring a DPO mandatory, whereas with the nFADP it is strongly recommended by not compulsory.
The GDPR only permits data transfer out of EU if the recipient has a sufficient level of data protection, whereas the nFADP does not have specific requirements for data transfers. However, it finds it essential for organizations to take measures of protecting personal data when transferring it to countries with lacking ample data protection.
The GDPR requires organizations to report data breaches without undue delay under any circumstances whereas with the nFADP data breaches are required to be documented and reported as soon as possible, a lowered threshold in comparison.
The GDPR is administrated by the supervisory authorities in each EU member state where as the nFADP is enforced by the FDPIC (an independent authority in charge of protecting the privacy of Swiss individuals).
Organizations need to be mindful of these key differences between the two, when processing the data of Swiss individuals, because the new FADP is an extensive and complex piece of legislation and adheres to the standards of the GDPR, but in Swiss style!
Specific Ways Companies Can Start Complying with the Revised FADP
The nFADP mandates that organizations hire a DPA(Data Protection Advisor). This would assist companies in identifying gaps in their data protection practices. This would ensure the data of Swiss citizens is sufficiently guarded and help organizations avoid hefty penalties by rectifying any violations before they take place. Since it is mandatory for organizations to report data breaches to the designated authority, hiring a DPA would be an efficient way to understand and deal with the drawbacks in their ways of dealing with data protection of individuals.
The nFADP would be an efficient way for organizations to assess any flaws in their operations regarding the data of Swiss individuals, by conducting regular Data Protection Impact Assessments(DPIAs). By appointing DPAs, and conducting timely DPIAs, organziations can demonstrate their commitment to data protection and build trust with Swiss citizens.
nFADP requires organizations to maintain a record of the data they are processing, storing or transferring. Only organizations having fewer than 250 employees are exempt from this. Maintenance of these records would help companies stay up to date with any shortcomings in their data keeping and processing tactics.
New Federal Act on Data Protection is a step forward in empowering Swiss individuals and protecting their privacy, along with setting a standard of data protection and demonstrating a contract of trust between consumers and organizations–leading to overall progress of Switzerland!