Personal data is an omnipresent key value driver for businesses. The regulation governing its processing has tightened and continues to evolve dynamically, often making it challenging for companies to follow. Most recently, for instance, the CJEU’s decision in the Schrems II matter took many by surprise. However, data protection has a long history of constant evolution. Forty years ago, on January 28, 1981, the Council of Europe opened for signature what is nowadays known as the Convention 108 (the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) and became the founding piece of European data protection regulation, kicking-off an exciting development that leads up to today. This year’s Data Protection Day commemorates the 40th anniversary of such landmark event in data protection!

Revision of the Swiss Data Protection Act: Implementation Work Ahead

On September 25, 2020, the Swiss Federal Parliament approved the revision of the Swiss Data Protection Act (DPA) after a long parliamentary debate (see our Newsletter of September 25, 2020 summarizing the key changes of the revision). You may find the final text of the new DPA in our printable booklet, which includes the German text and an English translation.

No public referendum has been called for. Hence, it is now certain that the new DPA will enter into force. The timeline however still remains to be confirmed. The federal administration’s work on the new implementing ordinance is underway and we expect the draft to be available to the public in Q2 of this year. The new DPA is scheduled to enter into force early or mid 2022.

Given that the new DPA will not provide for an implementation period once it enters into force, this year is the time to kick-off implementation projects. Typically, companies will have to start such projects by (1) identifying processing activities in scope of the new DPA and (2) existing documentation relating thereto, then assess (3) whether there is a need to change any of these processing activities to ensure compliance with the new DPA, (4) prepare inventories of in-scope processing activities, (5) update existing privacy notices and similar documents, (6) review and update intra-group and third party agreements (such as with third party processors) governing data transfers and third party processing activities, (7) perform data protection impact assessments where needed, and (8) review, update and, where appropriate, document governance processes (such as to deal with data subject rights and breach notification obligations).

Shortly, we will publish additional resources to facilitate implementation projects.

Recent Federal Supreme Court’s Decisions on Data Subject Access Requests

In November 2020, the Federal Supreme Court held that a data subject access request under the DPA which was made prior to filing a lawsuit to gather information about the other party and obtain evidence (a so-called «fishing expedition») is an abuse of rights.[1] It is indeed established case law that an access request may be abusive if it is made only for this purpose. However, the award clarifies that an abuse of rights exists only if the sole purpose of the access request is to clarify the prospects of litigation. If the access request may also serve other purposes, the information cannot be refused for abusive exercise of rights.

In its reasoning, the Federal Supreme Court referred to the revised DPA, according to which the data subject requesting access to information must be provided with the information necessary to assert his or her rights under the DPA and to ensure a transparent data processing. Thus, the aforementioned decision is in fact the first decision on the revised DPA, indicating that the Federal Supreme Court will follow its previous case law on the data subject access right also under the new DPA.

In a decision of December 2020,[2] the Federal Supreme Court further stated that the data subject access right only covers written or otherwise physically existing data. Data that merely exists in a person’s memory is not covered. In particular, the access right under the DPA does not include a general right to discover, by questioning parties and witnesses, between whom, when and about what a personal conversation took place. Furthermore, the access right only covers data that can be accessed by the controller. Thus, the controller does not have to make inquiries, such as about the origin of information, if such data is not retained by the controller.

Brexit – Mind the Gap

About a month ago, the United Kingdom left the European Union. With that, the EU General Data Protection Regulation (GDPR) has ceased to take effect in the UK. However, the UK has largely transitioned the substantive terms of the GDPR as domestic «UK-GDPR» into the law of England and Wales, Scotland and Northern Ireland.[3]

Leaving the EU has implications for data exports to the UK from EU and EEA member states: in principle, the UK now qualifies as third country so that exports of personal data to the UK are subject to an adequacy decision by the European Commission or, absent such decision, the implementation of alternative safeguards or case-by-case exceptions as provided for under the GDPR. The EU and the UK, however, have agreed on a transition period of up to six months ending on June 30, 2021 at the latest, during which data transfers from EU and EEA member states to the UK may continue as if the UK were not qualified as third country. In order for data transfers to continue smoothly thereafter, an adequacy decision by the European Commission will be required.

For Swiss businesses, it is good to know that data exports from Switzerland to the UK are not impacted. The Swiss Federal Data Protection and Information Commissioner (FDPIC) continues to regard the UK as a country with adequate data protection laws.[4]

Schrems II – Uncertainty Continues

The uncertainties caused by the CJEU’s landmark decision in the Schrems II matter handed down on July 16, 2020[5] (see our Newsletter of July 16, 2020) continue to impact businesses transferring personal data to the USA and other third countries. Guidance provided by supervisory authorities since the CJEU’s decision has been disparate.

The CJEU itself stressed that supplementary safeguards may be needed to continue using standard contractual clauses for exports to certain third countries such as the USA, but it did not specify which safeguards these might be. Recently, the European Data Protection Board (EDPB) adopted recommendations[6] seeking to shed further light on the process to identify and adopt such safeguards. Not surprisingly, the EDPB propagates a strict view. It warns against relying on subjective factors, such as the perceived likelihood of foreign authorities seeking access to the relevant data. Further, it argues that contractual and organizational measures alone will often not be sufficient, but that they need to be combined with technical measures, such as encryption and de-identification. The EDPB goes far by stipulating that there may not be any sufficient safeguards available in case clear text access to personal data is required from a third country where contractual safeguards do not suffice, such as in case of clear text access by a cloud provider in the USA for processing operations or when using remote access to clear text data.

In a statement published on September 8, 2020,[7] the Swiss FDPIC shares the CJEU’s concerns regarding data exports to countries where local laws deprive contractual safeguards of its effect, and it agrees that additional technical measures may have to be implemented to provide for sufficient safeguards. However, as far as potential clear text access is concerned, the FDPIC takes a slightly less restrictive approach than the EDPB, stipulating that the use of sufficient technical safeguards may prove to be challenging in such circumstances (but, hence, not outright impossible).

The recently published revised standard contractual clauses of the European Commission[8] will, once adopted, not overcome the hurdles imposed by the Schrems II decision. Thus, uncertainty will continue for many businesses.

[1] Federal Supreme Court decision 4A_277/2020 dated November 18, 2020 (https://www.bger.ch/ext/eurospider/live/de/php/aza/http/index.php?highlight_docid=aza%3A%2F%2Faza://18-11-2020-4A_277-2020&lang=de&zoom=&type=show_document
(visited on January 27, 2021).
[2] Federal Supreme Court decision 4A_125/2020 dated December 10, 2020 (https://www.bger.ch/ext/eurospider/live/de/php/aza/http/index.php?highlight_docid=aza%3A%2F%2Faza://10-12-2020-4A_125-2020&lang=de&zoom=&type=show_document
(visited on January 27, 2021).
[3] See: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now-the-transition-period-has-ended/the-gdpr/ (visited on January 27, 2021).
[4] See: https://www.edoeb.admin.ch/edoeb/de/home/aktuell/aktuell_news.html#-181656549 (visited on January 27, 2021).
[5] See: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=9729736
(visited on January 27, 2021).
[6] See: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
(visited on January 27, 2021).
[7] See: https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2020/Positionspapier_PS_%20ED%C3%96B_DE.pdf.download.pdf/Positionspapier_PS_%20ED%C3%96B_DE.pdf
(visited on January 27, 2021).
[8] See: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
(visited on January 27, 2021).

If you have any queries related to this Bulletin, please refer to your contact person at Homburger or to: