Data protection in the United Kingdom and Switzerland
How much EU is there in data protection in the UK and CH?
Just over two years after the United Kingdom (“UK”) left, the differing mindsets of the UK and the European Union (“EU”) are now becoming clear. Withdrawal entails consequences under data protection law. A draft bill before the UK Parliament is currently still in the early stages of readings. Behind this is the UK government’s motivation to make improvements to the EU’s General Data Protection Regulation (GDPR), which came into force in 2018.
Contrast this with Switzerland’s latest data protection law proposal. Although Switzerland is not a member of the European Union, it is moving closer to it in many respects – including data protection law.
Possible new regulations in the UK
The British side criticizes that under the current regulations, there are certain hurdles for companies and consumers, which is why the government has a new draft bill called the Data Protection and Digital Information Bill.
For example, it is cumbersome for small companies to appoint a data protection officer. This obligation is to be eliminated. Furthermore, small companies in particular are increasingly confronted with uncertainty, which is why there is a general need for improvement, especially with regard to the supposedly high data protection requirements for companies. There are fears of a regime based only on compliance with obligations instead of one that encourages proactive action.
Authorities no longer required to inform data subjects about automated decision making
This change represents a major difference from the EU GDPR. Competent authorities will no longer be required to inform data subjects about automated decision making. A justifying example: If an individual’s data is of interest to the police, notifying the individual would be likely to interfere with the ongoing police investigation.
The log obligation will be eliminated
In addition, the obligation to create logs of data processing is to be eliminated. These logs represent a technical and organizational measure within the meaning of Art. 32 EU GDPR and serve the so-called input control. This is intended to record, in a manner compliant with the GDPR, who accessed personal data and when, and how they processed it further (in particular, changes to the data), in order to be able to subsequently determine and verify unauthorized processing. However, the British legislator considers this to be too resource-intensive; it would be out of proportion to the resulting added value. It is unlikely that anyone who wrongfully accesses data would document an honest justification.
Rules on consent remain, expanded to include a list of when there is a legitimate interest in data processing
The regulations on consent are to remain unchanged. However, to make it easier for companies to assess whether consent is required or whether processing can be based on the more flexible legal basis of legitimate interest, the government has added a list to the new draft law in Annex 1. It lists the conditions under which it recognizes a legitimate interest in data processing. For example, for national security, public security and defense (“national security, public security and defense”), or for detecting, investigating or preventing crime (“detecting, investigating or preventing crime”).
Appointment of a “Senior Responsible Individual” instead of a data protection officer
The obligation to appoint a data protection officer is to be eliminated, especially for small companies. Instead, authorities and companies are to appoint a “senior responsible individual” under certain conditions. This person would be responsible for data protection risks within the organization and for delegating the necessary tasks to appropriately capable individuals. This individual would be part of “senior management,” and thus have a significant role in decision making about processing activities in all or significant parts of the organization.
He or she would be responsible for performing or delegating the following tasks:
- Monitor data protection compliance with applicable laws;
- Ensure that the controller develops, implements, and regularly reviews compliance measures;
- Training employees;
- Handling complaints related to data processing;
- Handling data mishaps.
Under the draft legislation, the tasks of the senior management responsible person do not differ significantly from the tasks that the data protection officer assumes or may assume under the EU GDPR. The main difference is therefore the affiliation with senior management.
This is likely to call into question the independence or neutrality of the responsible person, because as part of senior management, he or she arguably has a significant interest in enabling data processing operations without major hurdles, in contrast to an independent or even external data protection officer. Even if the data controller can delegate his or her duties to other capable individuals within the company, there is a fear that in the future one or another data processing operation is more likely to be waved through because of the company’s interest than if an external data protection officer had advised.
With regard to consumers, too, hurdles are to be removed and processing simplified.
Opt-out procedure instead of opt-in procedure regarding cookies
Soft opt-in for marketing measures by non-commercial organizations
The new draft law provides for another change in the context of so-called “soft opt-in.” “Soft opt-in” allows direct marketing to be sent to existing customers who have not necessarily expressly consented to it. Previously, this marketing option was denied to non-commercial organizations, but now an extension is to take place in this regard.
Joint project by UK and USA, but sanctions for data protection violations as in the EU
Also of note is a planned plan by the UK in cooperation with the US. The two countries announced in a joint statement in July 2022 that they would like to facilitate access to data that is relevant to criminal law between the states. The goal is to fight serious crime while maintaining democratic standards.
However, there would be approximations to the European Union in terms of sanctions according to the draft law. The current maximum of £500,000 is to be increased to up to 4% of a company’s annual turnover or a maximum of £17.5 million. This corresponds to the comparable regulations of the EU-DS-GVO in Art. 83.
New regulations in Switzerland
In contrast to the UK, Switzerland, on the other hand, is regulating things positively. Switzerland’s new Data Protection Act (DPA) and implementing regulations in the new Data Protection Ordinance (DPO) are due to come into force on 01.09.2023. The most important innovation includes the requirement for increased transparency and strengthening of the rights of data subjects.
Expansion of information obligations towards data subjects.
The increased transparency is to be ensured, among other things, through an expansion of the information obligations. These are comparable to the obligations from Art. 13/14 EU-DS-GVO. From September next year, an information obligation will now also apply to the processing of any personal data. Previously, this only applied to the processing of data requiring special protection and the creation of personality profiles. Furthermore, the data subject is to be informed by the controller if a decision is based exclusively on automated processing. In addition, the data subject shall also be able to request that an individual decision be reviewed by a natural person. Consent shall be required in any case of so-called “profiling with high risk”.
Obligation to keep a register of all processing activities
Similar to the obligation to keep a register of all processing activities, which is familiar from the EU GDPR, all data processing activities are to be documented by the responsible processor (in the EU GDPR, processor) (“register of processing activities”) under the new Swiss DPA. The directories contain the same content and information as already known from Art. 30 EU GDPR.
Legal regulation of the role of the order processor & order processing agreement.
The role of the order processor is new here and corresponds to the classic order processor in the sense of the EU-DS-GVO. Processing may only be transferred to a processor by contract or by law. Any further transfer of processing by the processor to a third party must be approved in advance by the controller. The GDPR contains supplementary regulations on the contract then required between the controller and the processor. The mandatory contents essentially correspond to the requirements of the EU-DS-GVO, e.g.: Categories of personal data as well as data subjects; type and purpose of disclosure of personal data (“purpose of processing”), data transfers to further states, recipients or categories of recipients (e.g. subcontractors), requirements for storage, deletion and destruction of data, obligation to take appropriate measures to comply with contractual clauses.
Obligation to perform a data protection impact assessment
In addition, there is the obligation to conduct a data protection impact assessment – also based on the EU GDPR. Here, too, the Swiss regulations essentially correspond to those of Art. 35 EU GDPR.
Increase in sanctions for data protection violations
Here, Switzerland follows the UK’s lead: sanctions for violations are to be increased. However, they are nowhere near the level of the sanctions regulated at EU level. Although there is talk of “private persons”, this should not be understood to mean private individuals. Rather, this refers to legal entities under private law in Switzerland, as the DPA applies to private individuals and federal bodies. Thus, in the future, Swiss companies may be fined up to 250,000 Swiss francs for any breaches of duty. In this respect, this maximum rate applies to all possible misdemeanors, i.e. in particular violations of duties to provide information, to provide information and to cooperate, as well as of duties of care (here upon request) and violations of the professional duty of confidentiality, as well as in the case of disregard of orders. At the current exchange rate (as of 26.09.2022), 250,000 francs would be equivalent to approximately €261,977.50. Compared to the EU data protection regulation ceilings of 10 million and 20 million euros, this is only a fraction.
Fee-based support of the FDPIC
On the other hand, it is striking that in contrast to the EU-DS-GVO or, for example, the German Federal Data Protection Act, the Federal Data Protection and Information Commissioner (“FDPIC”) charges fees for certain services. For example, for: Opinions on a code of conduct, approvals of standard data protection clauses and binding corporate data protection rules, consultation based on a data protection impact assessment, advice on data protection issues. Here, we can only hope that the fee requirements do not end up being an obstacle to data protection and compliance by Swiss companies.
While the UK is taking a more business-friendly course, Switzerland is adapting more to the EU’s consumer-friendly regulations and incorporating many provisions of the EU GDPR into the new DPA.
The main changes or alignments are illustrated in the table below.
Art. 5 I lit. b)
Principle of earmarking
Expansion to include factors to be considered when a new purpose is to be added
Art. 6 para. 1 f)
Lawfulness of the processing
Weighing by the controller whether interests in processing personal data outweigh the rights of the data subjects
List of legitimate interests for the processing of which the balancing requirement does not apply.
“Soft opt-in” now also for non-commercial organizations
Abolition of information requirements vis-à-vis data subjects with regard to automated decision making
Information obligation now also for processing of any personal data
Appointment of an EU representative
Requirement from Art. 27 EU-DS-GVO has been deleted (Paragraph 13 DPDI).
Omission of the obligation to appoint a data protection officer for (small) companies
Designation of a representative in Switzerland, if responsible person is not resident in Switzerland
Order processor and contract for order processing
Technical and organizational measures (TOMs)
Anchoring of TOMs
Art. 35, 36
Data protection impact assessment
If processing is likely to result in high risk for individuals
Requirement for prior consultation eliminated, replaced with voluntary consultation process (clauses 17, 18 DPDI).
Data protection impact assessment
Focus on companies
Up to €20 million or 4% of a company’s total worldwide annual turnover
Increase in fines
Current maximum at £ 500,000
Approximation to EU GDPR
Up to 4% of annual turnover or £17.5m.
Tightening of sanctions
But not comparable with amount of fines from GDPR
Up to 250,000 francs