Information Technology - Switzerland

Transcription

1 Newsletters Law Directory Deals News Subscribe Home Information Technology - Switzerland Data Protection - Key Issues Contributed by Homburger December Introduction No Free Flow of Data within a Company Data Exports Restricted Infringements of Privacy Service Providers Can be Sued Revision of the Data Protection Act Can Full Compliance be Achieved? Introduction In the modern world, few businesses can survive without data processing. Full and fast access to data has become a key success factor in the information society. However, many companies do not realize that data processing is tightly regulated by law and is thus not just their own concern. Although it is widely accepted that data protection requirements exist, many companies do not realize that data protection involves much more than protecting consumers from invasive marketing. This is particularly true in Switzerland, where - unusually - the processing of information concerning legal entities is also covered by data protection law. As a result, data protection issues crop up in all areas of business. The reporting of customer data from a Swiss subsidiary to a US parent company can raise serious data protection issues and may be illegal, even if the affected customers are not located in Switzerland. The basic concept behind data protection is the notion that everyone is entitled to decide on the fate of their personal data. While the processing of personal data is allowed in principle, the Data Protection Act sets out a number of rules that must be observed. These rules try to strike a balance between the rights of the data subject and the legitimate interests that others may have in processing the data. Accordingly, a legal assessment often involves weighing the various interests against each other. Many people, especially those outside Europe, do not realize that the Swiss Data Protection Act may apply not only to the processing of data concerning a person located in Switzerland, but also to any data processing that takes place in Switzerland. To complicate things further, the Swiss Private International Law Act allows for a choice of law in the case of data protection infringement claims, even if the parties have a contractual relationship containing a valid choice of law. For example, the Swiss Data Protection Act may apply to a US company transferring US customer data to a computer system in Switzerland, even if it is only processed on behalf of the US company and the customer contracts are governed by US law. However, the Data Protection Act has its limits; for instance, it only applies to personal data. The term 'personal data' is defined as any data relating to an identified or identifiable person. This is a relative criterion: what may be regarded as personally identifiable data for one group of persons may be unidentifiable for others in the absence of certain additional information. In the latter case, therefore, the Data Protection Act does not apply. Temporarily or permanently anonymizing personal

2 data has proved to be a simple method of escaping the act's scope of application. At times, it might thus be easier and more efficient not to request or store every available piece of information. For example, cookies are not regulated by the act, as long as the user cannot tie them to an identifiable or identified person. No Free Flow of Data within a Company The Data Protection Act sets out a number of rules and principles that define how personal data may be processed. The word 'processed' is defined very broadly to cover all ways of dealing with or handling data, irrespective of the technology used. Personal data may be processed only for those purposes that were communicated or apparent to the data subject at the time of the data collection, or as provided for by law. If, for example, a company wants to exploit its customer database in ways that were not announced when the data base was created, it may need to obtain additional permission from the data subjects, which can be very costly. The Data Protection Act further provides that data may only be processed in good faith and not excessively. Whether data processing is excessive depends on the purpose. For instance, it is admissible for a service provider to record usage of its service for billing purposes. However, once the bills are paid and there is no more need for these records (eg, statutory data retention obligations), they must be deleted; storing them could be viewed as an act of excessive data processing. Personal data must be protected against unauthorized processing by appropriate organizational and technical means. The level of security depends on the sensitivity of the data. Such measures must not only fend off unauthorized third-party access, but must also limit access and usage of the data within the company itself. Personal data processing can be considered as excessive if, for instance, customer data is accessible to employees that have no need for it. There is no general privilege for group companies: handing over personal data to a sister or parent company is normally treated as though the data were handed over to a third party. This should be taken into consideration whenever group companies consolidate their data-processing activities. Data Exports Restricted The Data Protection Act also limits cross-border transfers of personal data. Whenever collections of personal data are to be exported from Switzerland, the data exporter must, unless it is acting pursuant to a legal obligation, inform the data subjects of the transfer or notify the federal data protection commissioner. This obligation also applies to data that was originally collected outside of Switzerland. In practice, most companies choose to inform the data subjects using appropriate language in contracts, disclaimers or general terms and conditions (the consent of the data subjects is not required). The Data Protection Act further provides that personal data may not be exported if it is not afforded commensurate protection in the destination country. Hence, if there is no applicable data protection law in the destination country, the protection of the exported data must be ensured on a contractual basis. Again, this is necessary even if the data is transferred within a company or group of companies. In other words, if a Swiss company plans to hand over personal data to a parent company or subsidiary in the United States, it must enter into a contract requiring the US company to submit itself to the principles of the Swiss Data Protection Law. Another typical example is the case of an IT support organization located in the United Kingdom which remotely manages a company computer network in Switzerland, where the UK staff have access to personal data held on the network and such data is not protected by UK data protection law because it relates to legal entities. Infringements of Privacy

3 The following all constitute infringements of privacy: breach of the above rules on data processing; the processing of personal data against the explicit wishes of the data subject; or the disclosure of sensitive data or personal profiles to a third party (which may include other members of a company group). The Data Protection Act mentions just one general exception, concerning data that has been made generally available to the public by the data subject, provided he or she has not expressly and specifically prohibited its processing. However, an infringement of privacy is not necessarily an illegal act. It is admissible under the Data Protection Act, provided there is sufficient justification. This will be the case if a specific statutory provision allows the processing or if the data subjects have given their consent. A service company, for instance, may export customer data into a country without adequate statutory or contractual data protection if the customers have agreed to such export in the service contract. In addition, an infringement of privacy can be justified by an overriding public or even private interest. To illustrate this, the Data Protection Act lists a number of cases in which the overriding interest of the data processor will be particularly taken into account. These include the following: processing personal data in direct connection with the conclusion or performance of a contract, with respect to data about the contractual partner; processing certain information about a competitor; processing non-sensitive data for the purpose of evaluating the creditworthiness of another person; processing data for the purpose of publishing a media article; and gathering data about public persons, provided the data concerns their public life. Sufficient justification is also generally assumed where data is processed in the context of research, planning or statistics, provided the results are published in an anonymous manner. Whether there is sufficient justification for infringing another person's privacy depends on the specific circumstances involved. In practice, whether a particular private interest is sufficiently weighty depends on factors such as: the sensitivity of the data processed; the purpose and method of processing; and the wishes of the data subject. Data subjects can sue anyone who processes their personal data without sufficient justification for doing so; no fault or prior contractual relationship is required for such claims, and the data processor can be required by court to correct, delete or cease disclosure of the data to third parties, among other things. Claims for damages are also possible, but these are rare. Service Providers Can be Sued

4 Although the Data Protection Act specifically allows for the outsourcing of data processing to a third party under certain conditions, this does not mean that outsourcing service providers are excused from the duty to protect the data they are processing on behalf of their customers. Data subjects can raise many of the possible legal claims under the Data Protection Act against both the customer and its outsourcing provider. While the provider can defend itself by asserting the same justifications as its customer, any service provider involved in the processing of personal data of third parties should take precautions - even where it is not located in Switzerland. Further rules of the Data Protection Act provide that the data processor must ensure that the information is correct and must allow for rectifications. Basically, everyone has the right to be informed (free of charge) about the data stored about him or her and the purpose for which it is being processed, among other things. Companies should thus establish a procedure for dealing with such information requests. In addition, anyone who regularly processes sensitive data or data profiles, or communicates personal data to a third party, must also register with the federal data protection commissioner, unless the processing is due to a legal requirement or the data subjects are aware of it (their consent is not required). The commissioner has certain rights to perform official investigations and to publish recommendations with respect to the processing of personal data, but its authority is rather limited. Revision of the Data Protection Act The Data Protection Act is being revised. The intention of the revision is to increase the information rights of data subjects and to enhance their opportunities to defend their privacy. An example is the right of data subjects immediately to block the processing of personal data. Among other things, the rules on the export of personal data will be changed. Such exports are to be further restricted by way of a conclusive list of admissible justifications for exporting personal data into countries without an adequate level of data protection. It will also become more difficult to obtain the consent of the data subject, as such consent will be valid only in isolated cases and only upon (proven) adequate information. The data subject must be informed if sensitive data or personal profiles are to be acquired directly or indirectly, or in case certain automated decisionmaking tools are used. Other European countries already have such provisions in place. Many companies that systematically process personal data will have to adapt their procedures and databases in order to comply with the new regulations. For example, they will be required to add additional data regarding the sources of certain personal data they are processing. On the plus side for multinational businesses, the revision of the Data Protection Act is intended to ease the flow of data within a company group, provided that the group has adequate data protection regulations in place. The obligation to notify data exports to the federal data protection commissioner will most likely be lifted. Instead there shall be an obligation to inform the commissioner about contracts and internal regulations on data protection. It remains to be seen whether and how such an obligation can be implemented in a practicable and efficient manner. It is further intended to introduce the concept of granting data protection certifications to qualifying IT vendors, service providers and other businesses. The advantage of being a certified company is not yet fully clear. Such businesses will, for instance, be relieved from certain obligations to register collections of data. These obligations will be tightened in the revised act. The revised act must still be debated and passed by the Parliament. It is not expected that the proposed changes will become law before 2005 or The existing proposal has already been strongly criticized and may therefore undergo certain changes. Compliance with the revised act could

5 become more expensive and burdensome for the private industry than it is today. Can Full Compliance be Achieved? The Data Protection Act is not the only piece of legislation setting out data protection regulations for the private sector. For example, the Swiss Code of Obligations has a mandatory provision restricting employers with respect to employee data (this may be relevant for activities such as electronic surveillance). Other laws lay down various secrecy provisions, which must usually be obeyed in addition to the Data Protection Act, but which provide for similar measures. While an infringement of the Data Protection Act in practice will often not result in serious legal penalties, breaking statutory secrecy provisions (as found in the financial, telecommunications, legal or healthcare industries) typically can have more serious legal consequences, including criminal charges. Nevertheless, compliance with the rules of the Data Protection Act has become much more important in Switzerland over the past few years. While full compliance is often illusory in today's commercial reality - given the amount of data processed, the way this can be controlled and the broad scope of the Data Protection Act - serious efforts to protect the privacy of customers, employees and other data subjects are expected and rewarded by both the market and the public. While the Data Protection Act may add to the costs of doing business, and certainly contains some questionable provisions, the costs can usually be reduced significantly if data protection issues are identified early in the process and awareness is created. For further information on this topic please contact David Rosenthal at Homburger by telephone ( ) or by fax ( ) or by (david.rosenthal@homburger.ch). The Homburger website can be accessed at The materials contained on this website are for general information purposes only and are subject to the disclaimer. Comment/Question for the Author Send to a colleague Subscribe Newsletters Law Directory Deals News Subscribe Home