"What does the new DPA bring?" and our assessment of it - report from a lecture by Dr. Adrian Lobsiger (FDPIC) at the University of Zurich.
Attorney-at-law and IT law specialist Sven Kohlmeier was one of the participants who gathered in the lecture hall of the University of Zurich on October 26, 2023 to hear how the Federal Data Protection and Information Commissioner Dr. Adrian Lobsiger positions himself some 2 months after the new Swiss Data Protection Act came into force. The event was opened by Prof. Dr. Florent Thouvenin (University of Zurich) and ended with a panel discussion by Claudius Ettlinger (Data Protection Advisor SBB), Chantal Imfeld-Matyassy (Head of Data Protection Ringier Group) and Claudia Keller (Attorney at Law).
At the outset, some of the statements were very interesting and are likely to play a role in both data protection consulting practice and legal assessment.
Term of office of the FDPIC ends
The term of office of the Supervisor ends on December 5, 2023. It is questionable whether his election will be held by the unified Federal Assembly on December 13, 2023, since its main agenda item will be the "general renewal elections," i.e., the re-election of the Federal Council. Dr. Lobsiger is running for his Third Term. The Judicial Commission had announced to submit "its proposal for the re-election of Adrian Lobsiger in the fourth quarter of 2023". Until Dr. Lobsiger is re-elected, the Authority will not be without leadership, as Deputy Florence Henguely will remain in office, but she will likely not lead the Authority as prominently for a transitional period.
Our assessment: The FDPIC has a good chance of being re-elected.
"Whoever complies with DSGVO, complies with DSG".
This quote from the FDPIC is a good way to summarize the presentation. Many companies with business relationships in the EU are subject to the GDPR and will thus have little difficulty in meeting the requirements of the DPA. The FDPIC further made clear that the main influences and "music in data protection" will be determined in the EU, and will also have a direct impact on Switzerland. There will thus not be a Swiss special path in data protection; rather, a look at the EU is helpful when it comes to implementing the DPA in Switzerland.
Our assessment: The GDPR is considered the "gold standard" in data protection worldwide. Anyone who complies with it easily fulfills the DPA. Therefore, experience with the introduction and implementation of the GDPR helps to be prepared for the Swiss application practice.
AI and DSG
In the opinion of the FDPIC, data protection law also applies to the use of AI tools. The requirements were formulated very clearly by the FDPIC: there is an obligation to provide information about the purposes, mode of operation, data sources and risks when using AI tools. It must also be ensured that automated decisions, including the results of AI tools, are reviewed by a human being. In addition, the FDPIC pointed out that every data subject has a right to object. As an interpretative framework for AI applications, the FDPIC referred to the University of Zurich's Legal Framework for the Use of AI, the Council of Europe's AI Guidelines (Convention 108), which Switzerland has ratified, and the European Commission's current AI Act.
The FDPIC was cautiously optimistic that it would follow through with AI data protection compliance.
Our assessment: Even if the DPA applies to AI tools, the DPA is likely to be a toothless tiger, given the proliferation of AI tools, the data use that has already occurred through training data, and the lack of law enforcement capability of the FDPIC. Here, it is more likely that the European regulations will lead to restrictions in the use of AI applications.
Enforcement capacity of the FDPIC
The framework of the FDPIC's ability to enforce has been determined by the Federal Administrative Court in its Helvetia decision (19.03.2019, A-3548/2018). Helvetia-Zusatzversicherung AG rejected the implementation recommendations of the FDPIC. The court only partially approved the FDPIC's complaint and ruled on the FDPIC's control and recommendation possibilities. In addition, the FDPIC cannot issue extraterritorial rulings. On the basis of the allegations against the company "Clearview", the FDPIC made it clear that in fact it has hardly any enforcement power, since "Clearview" did not respond to its requests and the American authorities also referred to compliance with the territorial principle.
Our assessment: The FDPIC will focus on compliance with the DPA in Switzerland. In response to our question, he made it clear that his main focus is not on the companies, many of which are subject to the GDPR, but on the major threat of data collection by the state and the associated loss of freedom.
Fines and penalties
We quote the FDPIC again here: "I bet my job that there will be no criminal judgment in the next 4 years". He justifies this with the fact that, on the one hand, only negligence offenses are punished. On the other hand, the public prosecutor's office does not act ex officio, but only on complaint, and there needs to be an effect on the person reporting the crime. The FDPIC therefore hopes that it will not be the employees who will be punished, but that fines will be concentrated on persons in management, if they are imposed at all.
Our assessment: We see it the same way. Apart from the fact that the public prosecutor's offices probably consider other types of offenses to be more important as a matter of priority, the responsible cantonal prosecution authorities have hardly any experience in assessing data protection law and determining fines. We therefore consider the 4 years without a judgment estimated by the FDPIC to be realistic. However, the experience from the GDPR shows that, although slowly, the conviction rate is increasing. Moreover, in addition to the criminal law assessment, it must not be overlooked that a data protection violation can be prosecuted under civil law pursuant to Art. 28 of the Civil Code.
Cookie banner
In response to a question from the audience on the necessity of cookie banners, the FDPIC was unable to provide any conclusive information, but referred to a fact sheet that will soon be published by the authority's experts.
Our assessment: The unspeakable and user-unfriendly cookie banners are not required under the Swiss DPA. However, anyone who is subject to the GDPR will not be able to avoid a cookie banner. We recommend that anyone who only offers services in Switzerland should post a proper DSG data protection declaration (see: www.datenschutzmuster.ch) and do without a cookie banner.
Sven Kohlmeier is a specialist attorney for IT law (D) and also provides specialized advice on data protection law. Based on his experience with the introduction of the GDPR, he is not only the right contact for EU and cross-border issues, but also for the implementation of Swiss data protection law, which - as the FDPIC made clear - is influenced by EU data protection law. Based on his experience with the implementation of the GDPR, one can say: "It's not as hot as it's cooked." This also applies to the implementation of the DPA. If you have any questions, please feel free to contact Sven Kohlmeier.
More articles on the topic
Fines in the new data protection law - up to CHF 250.00 possible for private person
Data protection law revision | Part 1: Overview of changes
Data Protection Law Review | Part 2: Practical Recommendations
Data protection law review | Part 3: Cyber attack - the right response counts