Data Protection in Switzerland Update Following the Safe Harbor Decision 21 October 2015 / 6 February 2016 Christian Wyss
Agenda Data Protection in Switzerland The Safe Harbor Decision How to Restore Compliance? What's next? EU Data Protection Regulation Questions & Answers Data Protection Switzerland 2
Personal Data All information relating to an identified or identifiable person. Person means natural or legal persons (this is different in most EU Member States) Data irrevocably made anonymous does not constitute personal data. Data Protection Switzerland 3
Sensitive Personal Data religious, ideological, political or trade union-related views or activities health, intimate sphere or racial origin social security administrative or criminal proceedings/sanctions. NOT SENSITIVE: income, net worth, financial statements, trade secrets Data Protection Switzerland 4
Personality Profile a collection of data that permits an assessment of essential characteristics of the personality of a natural person Data Protection Switzerland 5
Principles of Data Processing (1/2) Legality: All processing of data must be undertaken in a lawful manner., i.e. in compliance with the Swiss Data Protection Act. Data must not be collected unlawfully, e.g. by fraud, deceit, or violence. Transparency: All data must be processed in good faith. Therefore, any person whose data is processed needs to know whether, to what extent, and for what purpose the personal data is used. Appropriation: Personal data may only be processed for purposes indicated at the time of collection, evident from the circumstances, or that are provided for by law. Data Protection Switzerland 6
Principles of Data Processing (2/2) Reasonableness: Data processing and access to data must be limited to the extent necessary to accomplish the purpose Data not needed anymore for the purpose shall be deleted or stored separately if necessary to comply with record keeping obligations. Accuracy: Data processors must ensure that their data is correct and up-to-date. Wrong data must be revised. Any data subject may ask that wrong data be rectified. Data Security: Personal data must be protected against unauthorized processing by appropriate organizational and technical means. Data Protection Switzerland 7
Two Streams to Ensure Compliance Stream 1: Transfer to Third Parties or Processing of Sensitive Data or Personality Profiles Internal Data Protection Officer (more than 900 Swiss companies), or Register databases with Swiss Federal Data Protection Commissioner Stream 2: Transfer Abroad Transfer to EU countries Transfer to EU countries and then to other countries Transfer to other countries specific consent, or Data Transfer Agreements, or Binding Corporate Rules Data Protection Switzerland 8
Safe Harbor Decision (1/3) http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30dd033c1f3f50e84186b1029997aff2d16e.e34kaxilc3qmb40rc h0saxurbxn0?text=&docid=169195&pageindex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=478537 Data Protection Directive EC 95/46: Transfer abroad only to countries with adequate level of protection United States: No comprehensive data protection laws, but specific areas of protection (financial data, health data, minors, spam e-mails etc.) Safe Harbor: US recipient deemed located in country with adequate level of protection. Safe Harbor provides for carve-out for national security and public interest, but was adopted before 9/11. Data Protection Switzerland 9
Safe Harbor Decision (2/3) Maximilian Schrems, Austrian law student, contracted with Facebook Ireland, a subsidiary of Facebook, Inc., to use facebook (as millions of other European users) January to June 2013: Edward Snowden leaks secret information from the US National Security Agency 25 June 2013: Schrems complained with the Irish Data Protection Commissioner: Facebook does not protect my data from access by US government entities. Commissioner relied on Safe Harbor and refused to investigate. Data Protection Switzerland 10
Safe Harbor Decision (3/3) High Court asked the CJEU whether the EU Commission Decision 2000/520 regarding the Safe Harbor is binding CJEU: (1) National data protection authorities are responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of such data. (2) Commission Decision 2000/520 is invalid, mainly because it did not adequately consider European citizen's fundamental rights (Charter of Fundamental Rights of the European Union, Article 7 Respect for private and family life, Article 8 Protection of personal Data) Data Protection Switzerland 11
How to Restore Compliance Identify relevant U.S. companies in the Safe Harbor Framework http://safeharbor.export.gov/list.aspx Enter into Data Transfer Agreements (by end of January 2016) EU Standard Model Clauses Swiss Model Data Transfer Agreement Binding Corporate Rules Specific Consent for each Transfer Redirect Data Transfers from EU to US via Switzerland? Data Protection Switzerland 12
How to Restore Compliance Swiss Federal Data Proction Commissioner requires that data subjects be informed about potential data access by US government institutions: When transferring data to the United States, we use all required mechanisms to ensure compliance with Swiss and European data protection laws. Where US law imposes a conflicting obligation, however, US organizations must comply with the law. Thus, United States public authorities such as the NSA, the FBI or other federal agencies might access your data in the course of intelligence collection, surveillance, law enforcement, or other programs in excess of what would be allowed under Swiss and European data protection laws. Also, many safeguards that are provided under US law are mostly available to US citizens or legal residents only. Legality and reasonableness of this requirement is questionable, though. Data Protection Switzerland 13
EU US Privacy Shield (Update February 2016) New framework for transatlantic data flows replacing the Safe Harbor, which will protect the fundamental rights of EU citizens when their personal data is transferred to U.S. companies Access of U.S. authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms Details have not yet been published Next steps: EU Commission to draft adequacy decision, Article 29 Working Party and Member States Committee to review Data Protection Switzerland 14
EU Data Protection Regulation http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf Data Protection Switzerland 15
EU Data Protection Regulation DRAFT I: January 2012 EU Commission presents Draft Regulation Proposal DRAFT II: March 2014 EU Parliament adopts draft Data Protection Regulation Draft III: June 2015 EU Council approves amended draft Data Protection Regulation Data Protection Switzerland 16
EU Data Protection Regulation 24 June 2015: Kick-off trilogue meeting Commission, Parliament and Counsel aimed at finding a compromise by end of 2015 14 July 2015: Second trilogue meeting 2016: Possible compromise on draft regulation by triolgue meeting 2018: Expected entry into force of Data Protection Regulation Safe Harbor Decision will likely delay the process. Data Protection Switzerland 17
EU Data Protection Regulation One binding regulation directly enforcable in all EU Members States, national rules on employee data protection may survive New category: Pseudonymous data More stringent regime for processing sensitive data and personality profiles; genetic data will be considered senstitive Higher threshold for showing legitimate grounds for data processing New rights of data portability, right to be forgotten Heavier fines of 2% of annual worldwide turnover Data Security Breach Notification Data Protection Switzerland 18
Contact Details Christian Wyss Partner lic. iur., LL.M., Attorney at Law VISCHER AG Aeschenvorstadt 4 4010 Basel Switzerland cwyss@vischer.com +41 58 211 33 39 Data Protection Switzerland 19
Thank you. Zürich Schützengasse 1 Postfach 1230 CH-8021 Zürich Tel +41 58 211 34 00 Fax +41 58 211 34 10 Basel Aeschenvorstadt 4 Postfach 526 CH-4010 Basel Tel +41 58 211 33 00 Fax +41 58 211 33 10 Data Protection Switzerland 20