Switzerland: New Data Protection Law passed parliament

Next step, is waiting if there will be a referendum. (100 day period)
The FDPIC will make detailled statements on the new law once the referendum period has passed.

There is a good write-up in German by Noémi Ziegler at
https://datenrecht.ch/die-dsg-revision-ist-abgeschlossen/

David Rosenthal (VISCHER) has a summary at
https://www.vischer.com/know-how/blog/neues-datenschutzgesetz-das-muessen-sie-wissen-38752/

Final text (in parliament) is here:
https://www.parlament.ch/centers/eparl/curia/2017/20170059/Schluzssabstimmungstext%203%20NS%20D.pdf

The VUD published an overview here:
http://www.vud.ch/view/data/2124/vud_rohstoff_revidiertes_dsg.pdf

California: AG settlement with Fertility App company

Xavier Becerra: ” Today’s settlement is a wake up call not just for Glow, but for every app maker that handles sensitive private data.”

Landmark settlement against GlowHQ – a fertility app that had serious privacy and security failures that risked exposing millions of women’s medical information.

As part of the settlement, Glow will be required to:

  • incorporate privacy and security design principles into its mobile apps,
  • get consent from users before sharing private information,
  • and allow users to revoke previously granted consent.

https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93

Link to settlement: https://oag.ca.gov/sites/default/files/2020%2009-17%20-%20People%20v%20Upward%20Labs%20-%20Stipulation.pdf

Link to complaint: https://oag.ca.gov/sites/default/files/2020%2009-17%20-%20People%20v%20Upward%20Labs%20-%20Complaint.pdf

Switzerland and Schrems II – Policy Paper by the FDPIC

The Swiss Federal Data Protection Commissioner (FDPIC, or in German “EDÖB”) published the policy paper below on the impact of Schrems II.

A third party high-level summary (in German) is provided here: https://datenrecht.ch/edoeb-stellungnahme-zu-schrems-ii/

“Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection”
https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2020/Positionspapier_PS_%20ED%C3%96B_EN.pdf.download.pdf/Positionspapier_PS_%20ED%C3%96B_EN.pdf

From the policy paper_
4.1 Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried out. The exporter should check whether the clauses cover the data protection risks existing in the non-listed country. If necessary, the clauses should be ex-panded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.

b) When examining data protection risks, it is of particular relevance whether the data is transferred to a company in a non-listed country that is subject to special access by the local authorities.18 It must also be considered whether the foreign recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case, any provisions in the SCCs concerning the obligation to cooperate are negated.

c) In such cases, the Swiss data exporter must consider technical measures that effectively prevent the authorities in the destination country from accessing the transferred personal data. If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.