Skip to content

Data protection in the United Kingdom and Switzerland

EU-Datenschutz

How much EU is there in data protection in the UK and CH?

Introduction

Just over two years after the United Kingdom (“UK”) left, the differing mindsets of the UK and the European Union (“EU”) are now becoming clear. Withdrawal entails consequences under data protection law. A draft bill before the UK Parliament is currently still in the early stages of readings. Behind this is the UK government’s motivation to make improvements to the EU’s General Data Protection Regulation (GDPR), which came into force in 2018. 

Contrast this with Switzerland’s latest data protection law proposal. Although Switzerland is not a member of the European Union, it is moving closer to it in many respects – including data protection law. 

Possible new regulations in the UK 

The British side criticizes that under the current regulations, there are certain hurdles for companies and consumers, which is why the government has a new draft bill called the Data Protection and Digital Information Bill.  

For example, it is cumbersome for small companies to appoint a data protection officer. This obligation is to be eliminated. Furthermore, small companies in particular are increasingly confronted with uncertainty, which is why there is a general need for improvement, especially with regard to the supposedly high data protection requirements for companies. There are fears of a regime based only on compliance with obligations instead of one that encourages proactive action.  

Authorities no longer required to inform data subjects about automated decision making 

This change represents a major difference from the EU GDPR. Competent authorities will no longer be required to inform data subjects about automated decision making. A justifying example: If an individual’s data is of interest to the police, notifying the individual would be likely to interfere with the ongoing police investigation.  

The log obligation will be eliminated  

In addition, the obligation to create logs of data processing is to be eliminated. These logs represent a technical and organizational measure within the meaning of Art. 32 EU GDPR and serve the so-called input control. This is intended to record, in a manner compliant with the GDPR, who accessed personal data and when, and how they processed it further (in particular, changes to the data), in order to be able to subsequently determine and verify unauthorized processing. However, the British legislator considers this to be too resource-intensive; it would be out of proportion to the resulting added value. It is unlikely that anyone who wrongfully accesses data would document an honest justification.  

Rules on consent remain, expanded to include a list of when there is a legitimate interest in data processing 

The regulations on consent are to remain unchanged. However, to make it easier for companies to assess whether consent is required or whether processing can be based on the more flexible legal basis of legitimate interest, the government has added a list to the new draft law in Annex 1. It lists the conditions under which it recognizes a legitimate interest in data processing. For example, for national security, public security and defense (“national security, public security and defense”), or for detecting, investigating or preventing crime (“detecting, investigating or preventing crime”).  

Appointment of a “Senior Responsible Individual” instead of a data protection officer 

The obligation to appoint a data protection officer is to be eliminated, especially for small companies. Instead, authorities and companies are to appoint a “senior responsible individual” under certain conditions. This person would be responsible for data protection risks within the organization and for delegating the necessary tasks to appropriately capable individuals. This individual would be part of “senior management,” and thus have a significant role in decision making about processing activities in all or significant parts of the organization.  

He or she would be responsible for performing or delegating the following tasks:  

  • Monitor data protection compliance with applicable laws; 
  • Ensure that the controller develops, implements, and regularly reviews compliance measures; 
  • Training employees; 
  • Handling complaints related to data processing; 
  • Handling data mishaps.  

Under the draft legislation, the tasks of the senior management responsible person do not differ significantly from the tasks that the data protection officer assumes or may assume under the EU GDPR. The main difference is therefore the affiliation with senior management.  

This is likely to call into question the independence or neutrality of the responsible person, because as part of senior management, he or she arguably has a significant interest in enabling data processing operations without major hurdles, in contrast to an independent or even external data protection officer. Even if the data controller can delegate his or her duties to other capable individuals within the company, there is a fear that in the future one or another data processing operation is more likely to be waved through because of the company’s interest than if an external data protection officer had advised. 

With regard to consumers, too, hurdles are to be removed and processing simplified.  

Opt-out procedure instead of opt-in procedure regarding cookies 

Consent to the use of cookies on websites is to be changed from the current opt-in procedure to an opt-out procedure. This should help users not to have to click through numerous consent banners and thus prevent possible frustration. Similar to the German “PIMS” (“Personal Information Management System”) procedure under the TTDSG, there should also be a general management option and overview of data processing in the browser settings, so that consent on each individual website would become superfluous.  

Soft opt-in for marketing measures by non-commercial organizations 

The new draft law provides for another change in the context of so-called “soft opt-in.” “Soft opt-in” allows direct marketing to be sent to existing customers who have not necessarily expressly consented to it. Previously, this marketing option was denied to non-commercial organizations, but now an extension is to take place in this regard. 

Joint project by UK and USA, but sanctions for data protection violations as in the EU 

Also of note is a planned plan by the UK in cooperation with the US. The two countries announced in a joint statement in July 2022 that they would like to facilitate access to data that is relevant to criminal law between the states. The goal is to fight serious crime while maintaining democratic standards. 

However, there would be approximations to the European Union in terms of sanctions according to the draft law. The current maximum of £500,000 is to be increased to up to 4% of a company’s annual turnover or a maximum of £17.5 million. This corresponds to the comparable regulations of the EU-DS-GVO in Art. 83. 

New regulations in Switzerland 

In contrast to the UK, Switzerland, on the other hand, is regulating things positively. Switzerland’s new Data Protection Act (DPA) and implementing regulations in the new Data Protection Ordinance (DPO) are due to come into force on 01.09.2023. The most important innovation includes the requirement for increased transparency and strengthening of the rights of data subjects.  

Expansion of information obligations towards data subjects. 

The increased transparency is to be ensured, among other things, through an expansion of the information obligations. These are comparable to the obligations from Art. 13/14 EU-DS-GVO. From September next year, an information obligation will now also apply to the processing of any personal data. Previously, this only applied to the processing of data requiring special protection and the creation of personality profiles. Furthermore, the data subject is to be informed by the controller if a decision is based exclusively on automated processing. In addition, the data subject shall also be able to request that an individual decision be reviewed by a natural person. Consent shall be required in any case of so-called “profiling with high risk”. 

Obligation to keep a register of all processing activities 

Similar to the obligation to keep a register of all processing activities, which is familiar from the EU GDPR, all data processing activities are to be documented by the responsible processor (in the EU GDPR, processor) (“register of processing activities”) under the new Swiss DPA. The directories contain the same content and information as already known from Art. 30 EU GDPR.  

Legal regulation of the role of the order processor & order processing agreement. 

The role of the order processor is new here and corresponds to the classic order processor in the sense of the EU-DS-GVO. Processing may only be transferred to a processor by contract or by law. Any further transfer of processing by the processor to a third party must be approved in advance by the controller. The GDPR contains supplementary regulations on the contract then required between the controller and the processor. The mandatory contents essentially correspond to the requirements of the EU-DS-GVO, e.g.: Categories of personal data as well as data subjects; type and purpose of disclosure of personal data (“purpose of processing”), data transfers to further states, recipients or categories of recipients (e.g. subcontractors), requirements for storage, deletion and destruction of data, obligation to take appropriate measures to comply with contractual clauses.  

Obligation to perform a data protection impact assessment 

In addition, there is the obligation to conduct a data protection impact assessment – also based on the EU GDPR. Here, too, the Swiss regulations essentially correspond to those of Art. 35 EU GDPR.  

Increase in sanctions for data protection violations 

Here, Switzerland follows the UK’s lead: sanctions for violations are to be increased. However, they are nowhere near the level of the sanctions regulated at EU level. Although there is talk of “private persons”, this should not be understood to mean private individuals. Rather, this refers to legal entities under private law in Switzerland, as the DPA applies to private individuals and federal bodies. Thus, in the future, Swiss companies may be fined up to 250,000 Swiss francs for any breaches of duty. In this respect, this maximum rate applies to all possible misdemeanors, i.e. in particular violations of duties to provide information, to provide information and to cooperate, as well as of duties of care (here upon request) and violations of the professional duty of confidentiality, as well as in the case of disregard of orders. At the current exchange rate (as of 26.09.2022), 250,000 francs would be equivalent to approximately €261,977.50. Compared to the EU data protection regulation ceilings of 10 million and 20 million euros, this is only a fraction.  

Fee-based support of the FDPIC 

On the other hand, it is striking that in contrast to the EU-DS-GVO or, for example, the German Federal Data Protection Act, the Federal Data Protection and Information Commissioner (“FDPIC”) charges fees for certain services. For example, for: Opinions on a code of conduct, approvals of standard data protection clauses and binding corporate data protection rules, consultation based on a data protection impact assessment, advice on data protection issues. Here, we can only hope that the fee requirements do not end up being an obstacle to data protection and compliance by Swiss companies. 

Conclusion 

While the UK is taking a more business-friendly course, Switzerland is adapting more to the EU’s consumer-friendly regulations and incorporating many provisions of the EU GDPR into the new DPA.  

The main changes or alignments are illustrated in the table below.

 

Comparison table

EU-DS-GVO

Vereinigtes Königreich

Schweiz

Art. 5 I lit. b)

Principle of earmarking

Expansion to include factors to be considered when a new purpose is to be added

Art. 6 para. 1 f)

Lawfulness of the processing

Weighing by the controller whether interests in processing personal data outweigh the rights of the data subjects

List of legitimate interests for the processing of which the balancing requirement does not apply.

Direct marketing

“Soft opt-in” now also for non-commercial organizations 

Art. 13/14  

Information requirements

Abolition of information requirements vis-à-vis data subjects with regard to automated decision making

Information obligation now also for processing of any personal data

Art. 27

Appointment of an EU representative

Requirement from Art. 27 EU-DS-GVO has been deleted (Paragraph 13 DPDI).

Omission of the obligation to appoint a data protection officer for (small) companies

Designation of a representative in Switzerland, if responsible person is not resident in Switzerland

Art. 28

Order processing

Order processor and contract for order processing

Art. 32

Technical and organizational measures (TOMs)

Anchoring of TOMs

Art. 35, 36

Data protection impact assessment

If processing is likely to result in high risk for individuals

Requirement for prior consultation eliminated, replaced with voluntary consultation process (clauses 17, 18 DPDI).

Data protection impact assessment

Art. 83

Fines

Focus on companies

Up to €20 million or 4% of a company’s total worldwide annual turnover

Increase in fines

Current maximum at £ 500,000

Approximation to EU GDPR

Up to 4% of annual turnover or £17.5m.

Tightening of sanctions

But not comparable with amount of fines from GDPR

Up to 250,000 francs

 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!