Sep 222020

Swiss Parliament Fails to Reach Agreement on New Swiss Data Protection Act

William RM Long, Francesca Blythe and Sabrine Schnyder
, , ,

In 2017, the Swiss government issued a draft bill for a new Swiss Data Protection Act (“nDPA”) with two main goals:  (1) to enhance the level of protection of personal data provided in the current Swiss Data Protection Act which dates back to 1992 (largely, to align with the EU GDPR); and (2) to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the EEA to Switzerland.

On Thursday, 17 September 2020, the National Council (one of two chambers of the Swiss parliament) once again debated the draft bill, but failed to reach an agreement.  Three critical issues remain unresolved:

  • The definition of the term “profiling”(Article 4 (f) and (fbis) nDPA): While the Council of States (one of two chambers of the Swiss parliament) would like to differentiate between profiling and high risk profiling, the National Council does not deem such a distinction necessary.
  • Express consent (Article 5(7) nDPA):According to the National Council, express consent is only required for the processing of sensitive personal data, and not for profiling by a Federal authority or high risk profiling. The Council of States disagrees, seeking express consent for high risk  and Federal authority processing.
  • Justifications (Article 27(2)(c) nDPA):  According to Article 27 (1) nDPA, a violation of the data protection principles as set out in the law may be justified by consent, by law or by an overriding private or public interest.  Such an overriding private interest may apply if the data controller processes personal data in order to verify the credit worthiness of a customer, and if certain conditions are met.  The details of these conditions, however, are eluding consensus between the two chambers.

The draft bill will now go back to the Council of States, which is scheduled to discuss it on 23 September 2020.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Sabrine Schnyder

sschnyder@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.