Skip to main content

Switzerland’s Data Protection Landscape post Schrems II and Brexit

|

On 25th of September 2020, the Swiss parliament has adapted the Federal Act on Data Protection (FADP). However, the FADP - which aims to be the little brother of the GDPR - will only come into force once the corresponding ordinance has been drafted and passed the consultation process and its adoption by the Federal Council. The first is expected at the end of the first quarter of 2021, the latter during summer, so that the new law will at the earliest come into force in the beginning of 2022.

Switzerland has already a rigid transfer regime equivalent to the one in the European Union. After the European Court of Justice’s (“ECJ”) decision C-311/18 of July 2020 (“Schrems II”), the Federal Data Protection Commissioner stated, that he is not in a position to cancel the Swiss – U.S. Privacy Shield. However, he can deny the adequacy of the data protection level the Swiss – U.S. Privacy generates based on the same reasoning as the ECJ.

The big takeaways of Schrems II are so be remembered, that transfers to third countries without an adequate data protection can still be based on standard contractual clauses and no longer on the EU – U.S. Privacy Shield, but a case-by-case assessment of the risk is necessary and appropriate measures must be taken. If appropriate measures are not possible, a transfer should not take place if there is a risk that the fundamental right of the data subject will be breached. Such a fundamental right may not only be the breach of privacy, but also the fundamental right to a fair trial, to access a judge or simply to a legal remedy and to the presumption of innocence.

Having this in mind, a very recent decision of the Swiss Federal Court1 is remarkable: a group of digital rights activists requested to the Federal Intelligence Service access to their data. Such a request was refused, referring to the secrecy of their actions, and the fact, that it would be possible under the Swiss Data Protection Act to seek a legal remedy.

In fact, however, there is no legal remedy under the existing Swiss Federal Data Protection Act, and therefore the denial of access by the Swiss Intelligence Service and the Federal Administrative Court violated Article 13 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). The High Court followed the argumentation in accordance with the Big Brother Watch and others vs. the United Kingdom decision lodged on the 4th of September 2013, and rejected the case back to the Swiss Federal Administrative Court. This court will have to determine whether the radio reconnaissance violates the complainants' fundamental rights under the Federal Constitution and the ECHR and, if so, what legal consequence must be attached to it.

In addition, a draft Law of the counter-terrorism2 allows wide ranging proactive measures for the police without judicial decision. Such limitation of the freedoms of the people must follow the principles of the Swiss Constitution and proactive measures can be taken only in very narrow circumstances.

The recent High Court decision, as well as the draft counter-terrorism law put Switzerland at risk of losing its adequacy decision.  So far the EU has not confirmed the adequacy decision but had warned Switzerland, not to delay or not follow the EU principles. We will sit and wait the outcome of this.

If we compare Switzerland with the UK and the Big Brother Watch case, Switzerland is in a much weaker position, at least until the new FADP comes into force. According to the FADP, an authority must make a decision, which can then be subject to a legal remedy. Under the new FADP the Data Protection Commissioner must take a decision which is subject to legal remedy. So we can only hope that the EU will be merciful and turn a blind eye for a while longer.

1Decision of the Swiss Federal Court dated December 1, 2020 (1C_377/2019)

2Bundesgesetz über polizeiliche Massnahmen zur Bekämpfung von Terrorismus (PMT) to viewed at www.admin.ch/opc/de/federal-gazette/2020/7741.pdf (dated January 14, 2021)

 

Article provided by: Nicole Beranek Zanon (de la cruz beranek, Switzerland)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}