In 2017, the Swiss government issued a draft bill for a new Swiss Data Protection Act (“nDPA”) with two main goals: (1) to enhance the level of protection of personal data provided in the current Swiss Data Protection Act which dates back to 1992 (largely, to align with the EU GDPR); and (2) to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the EEA to Switzerland.
On Thursday, 17 September 2020, the National Council (one of two chambers of the Swiss parliament) once again debated the draft bill, but failed to reach an agreement. Three critical issues remain unresolved:
- The definition of the term “profiling”(Article 4 (f) and (fbis) nDPA): While the Council of States (one of two chambers of the Swiss parliament) would like to differentiate between profiling and high risk profiling, the National Council does not deem such a distinction necessary.
- Express consent (Article 5(7) nDPA):According to the National Council, express consent is only required for the processing of sensitive personal data, and not for profiling by a Federal authority or high risk profiling. The Council of States disagrees, seeking express consent for high risk and Federal authority processing.
- Justifications (Article 27(2)(c) nDPA): According to Article 27 (1) nDPA, a violation of the data protection principles as set out in the law may be justified by consent, by law or by an overriding private or public interest. Such an overriding private interest may apply if the data controller processes personal data in order to verify the credit worthiness of a customer, and if certain conditions are met. The details of these conditions, however, are eluding consensus between the two chambers.
The draft bill will now go back to the Council of States, which is scheduled to discuss it on 23 September 2020.