The scope of the EU General Data Protection Regulation (GDPR) is being expanded
The first few weeks under the GDPR are behind us. However, many companies have yet to do the necessary work, and there are new developments on the horizon that will create additional pressure. For instance, today, July 20, 2018, the scope of the GDPR is being expanded to cover the entire EEA (including the Principality of Liechtenstein), which means that various additional Swiss companies will have to deal with it.
May 25, 2018 caused quite some trouble for many companies: Many believe that anyone with customers or employees in the EU who was not in compliance with the new EU General Data Protection Regulation (GDPR) as of that date would soon face fines. Many consultants stoked the fears, while at the same time promising that companies could become «GDPR-compliant» by undertaking major implementation projects. However, those that took advice of less agitated experts were able to sleep soundly and also utilize their resources much more efficiently.
While the GDPR is by no means a trivial matter, the new data protection law in Europe is not be as bad as it sometimes was made out to be. We are taking this opportunity to do a reality check, report on our initial experiences, and take a look at what is yet to come:
- As expected, May 25, 2018 passed without major incidents. Granted, the Austrian data protection activist Max Schrems (whose lawsuit against Facebook in the ECJ at the time put an end to the «safe harbor» regulations) immediately announced a number of new lawsuits against Facebook and other companies, but a flood of litigation against less prominent companies continues to be unlikely.
- Most of the data protection authorities in Europe continue to be overstrained due to a lack of personnel and in many cases do not even respond to reports of data protection violations. They will still need some time to cope with their new tasks and are looking for additional staff in many places, insofar as they even have corresponding budgets. But this phenomenon is nothing new. As an employee of a European data protection authority put it: «We are not going to travel through the country beating people over the head with a club. Instead, we want to help companies become data protection compliant.»
- Many requirements of the GDPR remain unclear, and many will not be cleared up for the foreseeable future. However, this is not necessarily a disadvantage, as it gives companies the freedom to interpret these requirements in pragmatic, practical ways. Unfortunately, the literature and recommendations from the authorities do not always provide the necessary assistance. In practice, companies often have to make decisions involving a certain degree of risk.
- Many companies based in Switzerland continue to ask us whether the GDPR applies to them, as well. An official statement from the EU data protection authorities regarding their interpretation of Art. 3(2) GDPR, which concerns this issue, has been slow in coming. However, the currently prevailing view is more liberal than two years ago regarding the extraterritorial effect of the GDPR. For example, it is widely recognized that, just like employing cross-border workers from the EU in Switzerland or offering products or services to businesses and not to private individuals in the EU does not automatically result in the application of the GDPR, neither does outsourcing to a commercial provider in the EU. If you would like to check whether and to what extent you fall under the GDPR, you can do this by using Form C.1 in the Data Protection Self-Assessment Tool developed by us (http://dsat.ch/) (see below).
- Beginning on July 20, 2018, the GDPR applies in the entire EEA, i.e., also in the Principality of Liechtenstein. That is an unwelcome surprise for many Swiss companies, as they believed they were exempt from the GDPR because they did not engage in business with consumers in the EU. There are many Swiss companies that do not sell into the EU, but do indeed sell to Liechtenstein. The reasons for this are partly historical and partly legal. For instance, Swiss direct insurers may also engage in business in Liechtenstein based on their Swiss license from FINMA. Many of these companies now have to implement the GDPR for their private customers in Liechtenstein. As these customers are often serviced via the same systems and processes as the Swiss customers, these systems and processes must be adapted comprehensively – and for many companies much earlier than expected. They had hoped to have a bit more time thanks to the delay in the revision of the Swiss Federal Act on Data Protection (FADP). The good news: At any rate, at least until such time as the FADP is revised, neither the Liechtenstein Data Protection Office nor any other data protection authority in the EEA should be able to execute enforcement measures against companies in Switzerland. Switzerland does not provide administrative assistance in such cases, and an authorization pursuant to Art. 271 Swiss Criminal Code (SCC) seems unlikely at present. It is more likely that the Swiss Federal Data Protection and Information Commissioner (FDPIC) would take action based on his own legal powers and interpret the FADP in accordance with the GDPR, although he has no power to impose sanctions.
- The revision of the FADP is being delayed considerably longer than was originally planned. The Swiss Federal Parliament does not want to be put under pressure in this regard. Although the bill was not rejected, as was initially feared, it was divided into two parts: To begin with, the part of the revision that is necessary for the Schengen Area will be implemented (it is supposed by EU to be implemented as of August 2018) so that the Federal Parliament can take its time to debate the remainder of the revision. We do not anticipate radical changes from the Federal Council’s draft of September 2017, but we expect that the «Swiss Finishes» that go beyond the GDPR will be removed (an in-depth article in German is available here: https://goo.gl/8iV8vt). However, unlike under the GDPR, we anticipate that criminal rather than administrative sanctions will apply in Switzerland (at present, these are envisaged to apply against the private individuals responsible with regard to a relatively small number of offenses). Based on the current state of affairs, it is unlikely that the bill will be passed in 2019. As we can assume a two-year transition period, the provisions of the revised FADP would not apply until 2022. Consequently, the FADP will require Swiss companies to implement many of the updates to the GDPR, as it will contain these updates as well, but it will be some time before that happens.
- One of the issues that is keeping our clients especially occupied at present is the distinction between data «processors» and the role of the «controller.» Many companies still incorrectly assume that any service provider or authorized person who is granted access to data pertaining to the company is automatically a data processing provider (or in the terminology of the GDPR: a «processor»). This would mean that it would need a corresponding agreement, for which Art. 28 GDPR prescribes the required content in detail. Accordingly, many of our clients have been asked by their business partners – without a legal basis – to sign such contracts, without having examined the situation more closely. If an insurance company insures a company’s employees, the insurance company processes the employees’ data on its own responsibility and is therefore not a processor. Its service does not consist of data processing; rather, it processes the data on its own in order to provide its service. Likewise, attorneys are not normally their clients’ processors.
- Another hot topic is the rights of data subjects, such as the right to information or erasure. Many companies feared that they would be inundated with such requests after May 25, 2018. We recommended defining the responsibilities but taking a wait and see approach. This has proved worthwhile: Most of the companies that deal with consumers did at times observe a slight increase in the number of such inquiries and requests. But there was no flood of such requests or any other serious problem. In this regard, it is important to note that the rights of data subjects – with the exception of the right of data portability – already existed in EU law. The Swiss FADP also grants data subjects a right of information, correction, erasure, and objection. If a person asserts his/her rights, it is important to identify them reliably and to ask relevant follow-up questions; in many cases, the persons do not respond, and there is no need for further action.
- Then again, we have received initial reports from Germany of warning letters regarding websites that allegedly are not GDPR compliant. These warning letters are generally sent by “warning associations” or attorneys. They find fault with the lack of a GDPR-compliant privacy statement, the erroneous integration of third-party offerings such as Google Fonts or Google Analytics, or the integration of tools and plug-ins that are not permitted under German law. They call for a modification of the website, a declaration of discontinuance and, above all, coverage of the costs of providing the warning letter, which is permitted under German law in certain circumstances. Unfortunately, there is also abuse on the part of the parties issuing these warning letters, who count on the fact that the targeted companies do not want the matter to be brought before the courts. If a company receives a warning letter, it should review its privacy statement and ensure that it only uses data protection-compliant tools and plug-ins, and at any rate never issues a declaration of discontinuance without a proper review. Insofar as companies in Switzerland are affected, which occurs fairly infrequently, we also generally recommend not making any payments. So far, there has not been any court decision as to whether and to what extent warning letters concerning GDPR violations are permitted.
- The deluge of «opt-in» e-mails may also have been an annoyance to many people in the weeks prior to May 25, 2018. These e-mails asked the recipients to confirm that they wanted to continue to receive newsletters and other promotional mailings from the relevant company. Anyone – like most recipients – who did not respond received increasingly dramatic-sounding reminder e-mails to please grant their consent. We opted to forego sending such an e-mail to our clients and also advised most of our clients to do the same. In most cases, such e-mails were unnecessary or not expedient – it caused a number of companies to lose a large number of their marketing addresses.
- Many companies also did not realize that apart from the requirements pertaining to a valid consent, the GDPR did not entail many new features with respect to marketing e-mails. The sending of marketing e-mails is governed elsewhere in EU law, namely in the ePrivacy Directive. Plans are to also adopt it – quasi as a special data protection law – in addition to the GDPR in the form of a Regulation. Originally, the ePrivacy Regulation was supposed to enter into force together with the GDPR, but significant delays occurred because of differences over its content. Entry into force is not expected until 2019, with a transition period of another two years (see https://www.bvdw.org/themen/recht/eprivacy-verordnung/). It regulates issues such as advertising mailings and cookies and, like the GDPR, shall also apply extra-territorially and be equipped with the same sanctions regime. It is expected that many more Swiss businesses will fall under the ePrivacy Regulation than under the GDPR.
- In the meantime, GRPR implementation projects are continuing in many companies. In the period before May 25, 2018, most companies focused on publishing a GDPR-compatible privacy statement, making an inventory of data processing actions, establishing a process for reporting data security violations, and issuing basic instructions for handling personal data, where these did not already exist. Another priority was the execution of GDPR-compliant contracts for the outsourcing of data processing to providers and for the international exchange of data, but especially in these two areas many businesses have only just started making progress. A large number of contracts still need to be adapted. Most companies also have yet to perform an actual evaluation of their data protection compliance and conduct data protection impact assessments. In many places, these projects will continue into 2020. A risk-based approached is being pursued in this regard, and companies are well advised not to throw the baby out with the bath water: What is important is that a company have a plan as to how it aims to comply with the GDPR and the revised FADP, and that it works consistently to implement this plan.
- Finally, a note on our own initiatives: In the course of advising our clients, David Rosenthal developed a tool that companies can use to assess their data protection compliance with both the GDPR and the revised FADP (based on the Official Statement of the Federal Council). This «Data Protection Self-Assessment Tool» (DSAT in German) differs from all other tools in that it contains not only the typical questions used for assessing data compliance, but also all the typically possible answers. Thus, it can also be used by persons who do not have any special expertise regarding data protection. DSAT is now available to everyone at no charge via the website http://www.dsat.ch. This tool has become very popular; even the FDPIC has made reference to it. To provide it with a broader base, David Vasella, a data protection specialist from another Swiss law firm, is also involved as part of the tool’s editorial team.
- Homburger has also adapted its own privacy statement even though the GDPR only applies to Homburger peripherally. Our new privacy statement may be accessed here: https://www.homburger.ch/de/datenschutzerk-laerung
– Additional documents regarding data protection may be found here: www.hom-burger.ch/dataprotection. This also includes a synoptic description of the GDPR in English and German in DIN A5 format, including the most recent adaptations of the GDPR made in April 2018.
Should you have any questions, please do not hesitate to contact us. We will be happy to put our experience to work assisting you in implementing the GDPR and the forthcoming FADP in your company using a risk-based and pragmatic approach.
This Bulletin expresses general views of the authors as of the date of this Bulletin, without considering any particular fact pattern or circumstances. It does not constitute legal advice. Any liability for the accuracy, correctness, completeness or fairness of the contents of this Bulletin is explicitly excluded.