Different regions of the world take contrasting views of how data should be protected. This article considers the matter from a Swiss point of view.

The recent controversy over the “Panama Papers” is just one of a number of events that have put the issue of client privacy and cybersecurity in focus. There have, in recent years, been a number of data breaches at banks and other organisations. 

Separately, the European Union is introducing new data protection regulations, due to kick in by 2018. Arguably, the desire to protect data, and the hunt for information around potential tax dodgers, are in conflict, or they can be. This also highlights the line lawmakers must draw between legitimate privacy and secrecy. 

In the following article, published for Schroders, the UK-listed wealth and investment firm, and written by Clara-Ann Gordon, attorney at law of the Zurich law firm Pestalozzi, such issues are addressed in the context of Switzerland.

This item is republished by this publication with the permission of Schroders. The editors are pleased to share these insights and invite readers to respond.

Hardly a day goes by without media reports on data protection or privacy issues. The issues may be linked to social media platforms such as Google, Twitter or Facebook, or consumer protection – cookies are used to build up user profiles based on consumers' online activities (mass surveillance). The transfer of personal data from Switzerland to the US Department of Justice (DoJ) in tax disputes involving the two countries has also created a lot of work for the Swiss authorities and courts in recent years. 

Privacy has less to do with protecting the data itself than with the personal rights of the individuals whose data is collected. Personal data is defined as all information about a known or identifiable person, such as name, address, telephone number, IP address, AHV (Swiss national insurance) number, marital status, religion, shoe size, etc.

EU-US Privacy Shield – a source of disagreement between the EU and the US 

Switzerland and the EU operate on the same principles, under which priority is given to the personal rights of the individual. 

The US and Asia take a different approach, whereby national and public interests can take precedence over personal rights, as in the case of national security and intelligence agencies. As a result, US internet service providers can be required to give the authorities "unrestricted access" to data on grounds of national security or public interest.

These differing privacy regimes can give rise to conflicts. The new EU-US Privacy Shield framework is intended to facilitate the transfer of personal data collected in the EU to US companies. The US does not provide adequate data protection as defined in EU privacy legislation. The EU-US Privacy Shield is intended to remedy this. The pact replaces the Safe Harbour framework, which was ruled invalid by the European Court of Justice in October 2015 in what is known as the Facebook verdict. 

The ECJ ruled that the Safe Harbour framework was invalid because EU citizens and their personal data were not protected against access by the US authorities. The EU-US Privacy Shield has been criticised by the Article 29 Data Protection Working Party - an independent European Commission advisory group – which has called for additional improvements. The Data Protection Working Party's main criticisms focused on personal data accessed on grounds of national security. The EU Member States are due to state their positions in the near future, after which a final decision will be taken by the European Commission. Switzerland is expected to seek a similar agreement with the US as soon as possible.

EU reforms: more rights for individuals and introduction of hefty fines

Change is afoot within the EU too. The European Parliament adopted the EU General Data Protection Regulation on 14 April 2016. The Regulation was published in the EU Official Journal on 4 May 2016, entered into force on 25 May 2016 and will apply from 25 May 2018. The main improvements are: enhanced rights for data subjects, the right to be forgotten, the right to data portability, simplified information rules and data breach notifications (data leaks). 

Stronger
The powers of the data protection authorities have been beefed up. Administrative fines can be imposed for infringements of the regulation, up to the value of 4 per cent of annual global turnover or €20 million ($22.5 billion). 

At the same time, Switzerland is revising the Federal Act on Data Protection (FADP). 

The amendments will reflect the changes in European legislation, while also creating a framework that will allow Switzerland to ratify the Additional Protocol to the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data and to adopt statutory EU instruments in response to changes to the Schengen/Dublin acquis.

A preliminary draft of the revised FADP should be available by end of August 2016. The revision of the FADP is intended to mirror the enhanced rights for data subjects and enforcement processes introduced by the EU, to extend the powers of the Swiss Federal Data Protection and Information Commissioner (FDPIC), and to reflect the latest technological developments. 

High fines will also be introduced in Switzerland, up to a maximum of 10 per cent of turnover in Switzerland in the past three financial years. 

The developments described above will give natural persons more rights. Overall, particular attention is likely to be focused on compliance with and enforcement of the FADP. However, this will entail higher administrative costs for companies in ensuring that they comply with the new FADP provisions.