The data protection law should regulate the profiling of high-risk personalities. But the Council of States has yet to confirm.
High-risk profiling will be included in the data protection law. The National Council finally agreed on Thursday to make this practice subject to special requirements, following the proposal of the conciliation conference.
The question of profiling has divided the Chambers for three years. The left and the PVL have staunchly defended that the processing of data making it possible to draw up a precise profile of the personality of citizens through the matching of data from different sources should be strictly supervised. They finally won.
“We need a modern data protection law adapted to European requirements,” said Matthias Samuel Jauslin (PLR / AG) for the committee. The version presented by the conciliation conference thus explicitly mentions high-risk profiling. The National accepted it by 134 votes against 42, the UDC being the only formation to reject it. The Council of States has yet to confirm.
This clarification is based on the definition provided by current law for personality profiles and provides exactly the same level of protection as the law in force. Legal certainty is therefore guaranteed. In addition, it does not imply any increase in procedures for companies, recalled Damien Cottier (PLR / NE).
Adapted to Big Data
The right had blocked it, considering this provision unnecessary. She further argued that this definition of profiling does not exist in European law.
The revised law is therefore adapted to digitization and Big Data. Today, thanks to movement data, we can see who meets who, when, at what time and where. This information deserves special protection, repeatedly reminded Balthasar Glättli (Verts / ZH).
During all the debates, the UDC and the PLR did everything to limit the new obligations imposed on companies to the strict minimum. On the contrary, the left and the PVL have put forward the need to protect users and their data, sometimes without success.
The left had threatened not to pass the bill in the final vote if the profiling was not specified. The UDC has been opposed to this new regulation throughout, which it considers a bureaucratic monster. Justice Minister Karin Keller-Sutter warned that a failure of the law would hurt businesses above all.
Equivalence with the EU
The revision of the law aims to obtain recognition by the European Union (EU) of equivalence in the field of data protection. In the EU, the new General Data Protection Regulation (GDPR) entered into force on May 25, 2018. Switzerland had until May 20 to align.
Without equivalence, companies would be forced to prove on a case-by-case basis that they guarantee data protection. To avoid this costly prospect, the law contains several provisions to comply with European standards.
The revision provides citizens with better protection of their data. They should be informed. The protection of minors is guaranteed. The persons whose data will be processed must be of legal age. There is a list of data considered sensitive. Companies will be subject to certain new obligations.
The law also strengthens the powers of the Federal Data Protection and Transparency Officer. As for penalties, fines may amount to a maximum of 250,000 francs. Only natural persons may be punished in the event of an offense. Companies only in well-defined cases.
By way of comparison, the EU sanctions violations of European law with fines of up to 10 million euros, and even 20 million for companies.