Swiss nDPA - a clumsy copy of EU requirements? Swiss nDPA - a clumsy copy of EU requirements?

Switzerland has undoubtedly succeeded in developing a data protection law which complies with the intended harmonization to GDPR and yet retained an independent character.

The EU has already set a milestone in data protection legislation back in 2018 with the implementation of the general data protection regulation (GDPR). Switzerland followed and passed a revised data protection act (nDPA) in 2020, scheduled to come into force in mid-2022. Although the nDPA has not been put into force yet, voices are being raised that the Swiss approach of regulating data protection is no more than a blind repetition of existing EU legislation. The following comparison will point out that the Swiss data protection law kept its own character and some differences still need to be considered.

The two data protection laws are based on different concepts: while the Swiss nDPA is built on the principle of permission, the EU-GDPR is founded on the principle of prohibition. In other words: According to the nDPA, there is a general permission for processing personal data unless "no unlawful violation of the personality" arises. This basically means that any data processing which complies with the principles given does not require additional justification. In this respect, Swiss legislation remains true to its line, as already the outdated DPA was based on this concept.

Under the GDPR, however, processing personal data is generally prohibited unless elements of legal authorization are applicable. Therefore, data processing must be subject to a specific permission listed comprehensively in the law itself, otherwise a breach of data protection law is constituted. This divergence clearly illustrates that European legislation is based on a much stricter approach than the pillars followed by the Swiss version. Nevertheless, the EU's adamant path is considerably softened since "the legitimate interests of the controller" (Art. 6 (1) lit f) is stated as a justification for processing data by GDPR. This offers a broad discretionary power as well as much room for interpretation. Therefore, it can be said that there won’t be any noticeable dissimilarities in practical handling although two such opposing paths have been taken.

The GDPR explicitly postulates a maximum deadline of 72 hours for data breach notifications to the supervisory authority and a minimum of content essentials. This notification shall be made in each case unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. It is hence obvious which requirements need to be fulfilled in the event of unlawful data violation. The data controller itself has a narrow scope of decision making and is subjected to explanation obligations if the legal requirements are undermined due to given circumstances.

On the contrary, the nDPA, does not provide a specific notification period when stating that reports should be made "as soon as possible", nor does it specify the content of such breach notifications. Furthermore, the supervisory authority only shall be informed if the violation is a "high risk". So, the data controller bears full responsibility for taking the necessary actions within a reasonable time period and retains comprehensive control even in the event of a data breach. This is a considerable transfer of responsibility compared to GDPR law.

Liability and fines under the nDPA diverge significantly from those under GDPR: The maximum fine according to nDPA amounts to CHF 250,000 and is therefore far below GDPR. According to GDPR, infringements could result in a fine of up to € 20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year. These significant differences can be explained with the unlike approaches in terms of the punishment’s objective: nDPA understands the fine as a sanction for criminal behavior, while the GDPR’s fine catalog aims at strengthening the motivation for regulatory compliance. These different perspectives lead to the essential distinction that under the nDPA, not (only) the privacy violating company itself can be fined, but also the person directly committing the infringement (e.g. the employee who commits the data protection breach). This strict approach of personal liability is compensated by the nDPA through higher requirements for a fine notice. The punishment therefore requires an intentional behavior of the violator. If an investigation to determine the punishable natural person within the company would entail disproportionate effort, companies can now also be fined up to CHF 50,000 according to nDPA.

To sum up, despite many similarities in the data protection legislation of both Switzerland and the European Union, there still are significant differences between the two. Switzerland has undoubtedly passed a decent data protection legislation, which adapts to the EU legal requirements but still has gone its own way.