GDPR, Swiss DPA & ePrivacy – what Swiss companies should know.

GDPR, Swiss DPA & ePrivacy – what Swiss companies should know

As experts of data privacy, at Pryv, we continuously invest our best efforts to deeply investigate how data protection regulations might affect your company and what you should keep in mind when dealing with sensitive personal data. 

While GDPR has already started to collect its fees from non-compliant companies, Europe keeps tightening up its digital market standards and third countries like Switzerland will soon have no choice but to adapt if they want to keep exchanging data with Europe. So where do you stand in the middle of all these regulations?

In this article, we will try to provide you with a comprehensive overview of the current Swiss-EU privacy landscape, and help you prepare for what’s coming next. 

GDPR

If you have a Swiss company and you’re dealing with sensitive personal data, chances are that GDPR-compliance has been your concern for some months now.

Effective since 25 May 2018, GDPR raised the bar at a whole new level for data privacy and protection regulations, leaving tons of companies processing EU citizens data with the only choice of either complying or paying fines up to €20M or 4% of annual income. And this is just the beginning.

At its core, GDPR is a response to a need for action. But GDPR was not only designed to ensure an adequate level of protection for EU citizens. It was also designed to set up a new standard. And help implement the current European strategy for an EU Single Digital Market.

So how exactly might this affect your company? Well:

  • Privacy rights of European citizens are not limited by European frontiers (Ref: https://gdpr-info.eu/art-3-gdpr/): so whether your company is based in Europe or not, if you want to expand your offer of services to EU citizens (or even monitor their behaviour), you’ll have to comply with GDPR first. 
  • Europe now allows the transfer of personal data on the basis of an adequacy decision (Ref: https://gdpr-info.eu/art-45-gdpr/): so at some point, if you want to exchange data with Europe, you may have to demonstrate that your company provides an adequate level of data protection as well. 
  • The Federal Data Protection Act (hereinafter: Swiss DPA) is currently being revised and tends to (at least partly) align with the European standard: so even if you’re a Swiss-only business, some GDPR requirements might still come for you.

Also, if you’re in the healthcare business: GDPR provides an extra level of protection regarding the processing of specific personal data like genetic data, biometric data and any data concerning health (Ref: https://gdpr-info.eu/art-9-gdpr/), adding yet another level of requirements to meet with.

Did you take all that under consideration?

Swiss DPA

GDPR requirements not only affect Swiss companies, but also Switzerland itself. As a draft revision of the Swiss DPA is currently in motion, the level of adequacy it will have with the European standard is now at the center of the debate.

In particular, if Switzerland wants to continue to be recognized by Europe as a third country with a sufficient level of data protection (and thus be able to preserve the possibility of exchanging data with Europe), it will have to raise its standards towards those of GDPR.

So what does this mean for you? Well, even if you’re not dealing with Europe and are not planning to, if your company falls under Swiss DPA and Swiss DPA adopt some GDPR requirements… you’ll have to comply with these requirements as well.

Now to give you some context on the current situation:

As a first draft revision of the Swiss DPA (e-FADP) was adopted in September 2017, the first Committee in charge of reviewing the draft just completed its examination last September, and it has been now forwarded to a second Committee for further revising and modifications.

At this point, the future of the Swiss DPA remains very uncertain. Nevertheless, we can already give you some insights of what to expect.

Among the latest proposals:

  • Data portability, which is the right for the data subject to obtain its own data and receive them “in a structured, commonly used and machine-readable format”, is now considered to be introduced in the Swiss DPA.
  • Data protection in regard to legal persons, which even GDPR doesn’t offer, is under discussion to be maintained.

While you can see how the first point could directly impact your technical requirements (and is an integration of GDPR), the second is also important to keep in mind, because it underlines the fact that, in the end, the Swiss DPA could differ from GDPR on certain points, too.

So how to prepare?

Well, by early opting for a privacy-by-design approach, you’ll likely save yourself a lot of trouble in the long run: by addressing your customers privacy rights at the highest possible standards right away (like we do at Pryv ;)), it will hardly be an issue to meet the requirements of any data protection regulation at all.

ePrivacy

As said before, GDPR was just the beginning. And if GDPR and Swiss DPA seemed like enough challenges already, you are not out of the woods yet (especially if you were planning to hit or stay in the EU market).

In the pursuit of its strategy for a single digital market, Europe is now under discussion to endorse a new regulation that will complement the GDPR: the ePrivacy Regulation (ePR).

To keep it simple, the ePR is kind of like GDPR but with a focus on the protection of electronic communications and a broader scope of application (in the sense that it also protects legal persons!). From that perspective, it is most likely that Swiss companies will be impacted, too.

So what should you know? Well, since ePR is intended to particularise and complement the GDPR:

  • If GDPR applies to you, so could ePR if your offer of services extend to electronic communications.
  • In case of conflict, ePR will take precedence over GDPR (and thus be applied first).

Also, ePR fines for non-compliance are as high as in GDPR: so in case of infringement, you could have to pay up to €20M or 4% of your company’s annual income (whichever is higher). Wouldn’t it be better to invest into a compliance strategy instead?

While ePR was specifically designed to add an extra level of requirements on top of GDPR, it is also foreseen that it “will have a disruptive effect on companies’ digital strategies, which will need to be redefined to meet the new requirements.” Well, it doesn’t necessarily have to.

As we like saying at Pryv, in cases like this, you just have to establish a solid and scalable foundation prior to building the house. Thus, you’ll be sure that eventually, your system components will be scalable to comply with any new forthcoming requirements.

And if you’re in the healthcare business…

ePR is not the only new EU regulation that is to be expected within the next few years. As Europe keeps raising the standards of its regulations, a new regulation for medical devices is also making its way towards the EU market: the Medical Device Regulation (MDR).

Especially, ​if you’re developing a mhealth app: MDR could become a major concern for you as your software could now be registered as a “medical device” under this new legislation, adding yet again an extra level of requirements to comply with. 

In particular, what it would mean for you is that:

  • You may also have to comply with some new medical-related requirements;
  • If your app collects personal data, you’ll likely have to comply with GDPR as well.
  • And of course, doing all that on top of other existing regulations (like Swiss DPA).

As it may feel like a downfall of complex challenges for your company, it doesn’t have to be. 

Since 2015, we have been discussing with hundreds of healthcare innovators and listening to their needs, so that we could help businesses like yours build solutions that respect not only data privacy and protection regulations, but also existing and forthcoming regulations for managing personal health data. 

The end… or the and?

By design, when we decided to bring pryv.io on the market as a ready-to-be-used solution for personal and health data, we invested in making sure that we can ensure your products can easily benefit from integrated compliance over different industries and market-specific regulations. 

From now on, we will keep this article as a living document aiming at supporting you and our customers with sharing the best knowledge that we have, and to boost your time & benefit to market and turn your compliance investment into a competitive advantage.

Next article coming very soon!

First Author:
Stephanie Tischhauser, Data Privacy Advisor; Blog Development Contributor @ Pryv SA
Co-author:
Evelina Georgieva, co-founder @ Pryv SA

Resources: