Switzerland must update its outmoded data protection laws to bring them in line with sweeping new European privacy regulations, say data experts.
The European Commission recently proposed tough new reforms to help people regain control of personal online data from sites like facebook and Google. The Swiss authorities are examining changes to national law that may be ready by 2014.
The new European legislation, presented by European Union Justice Minister Viviane Reding on January 25, aims to give consumers ownership of their own data and to harmonise the patchwork of different laws in force across the European Union’s 27 countries.
This is part of a global government crackdown on the commercial use of personal information amid growing public awareness about the issue. The United States, China and India are all busy drafting guidelines but with differing approaches.
After an evaluation of the 20-year-old Swiss Data Protection Act last year, the federal authorities are gearing up for legal changes.
“We need to rapidly review our data protection legislation to adapt it to the new technological and social landscape,” Deputy Federal Data Protection Commissioner Jean-Philippe Walter told experts last week in Lausanne at the launch of a new online service, Think Data (see sidebar).
Changes to Swiss law will be strongly influenced by the proposed EU reforms, modifications to a Council of Europe convention and the Schengen accord, Walter told swissinfo.ch.
“Today there are no boundaries for data. Switzerland is not an island and companies that are active in Europe need to have identical or harmonised rules,” he said.
“We want to strengthen individuals’ rights and impose new obligations on data handlers, like the ‘right to be forgotten’, and incite firms to develop technologies that encourage data protection from the outset.”
The “right to be forgotten” means internet companies would be obliged to erase data and possibly also traces of it in search engines such as Google and elsewhere if members withdraw their consent for it to be used.
The deputy commissioner would also like to see federal and cantonal data protection bodies given more powers, and dissuasive financial penalties against troublesome firms.
“Technology must remain at the service of man and not the opposite,” he added.
Sébastien Fanti, a lawyer specialising in internet issues, says it is important to urgently update Swiss law within a neutral, global framework.
“Information technologies invade all aspects of our daily lives and the average user is incapable of knowing whether their personal data is being handled or not,” he said.
“Today things evolve very quickly. Google last week announced changes to its privacy policies, but how far does it conform to our laws? I don’t know,” he said.
Fanti said Switzerland had no choice but to align itself with the tough European reforms.
“I have told my clients that they should not wait but anticipate the forthcoming legal and technical changes,” he said.
The European Commission claimed its harmonised approach would save firms €2.3 billion (SFr2.7 billion) a year in administrative costs. But some business interests are unhappy.
"The risk in the proposal's current design is that it will bog down companies with onerous compliance requirements, which could inhibit digital innovation at the expense of job creation and growth,” Thomas Boue, director of European affairs for the Business Software Alliance told the Associated Press news agency. Members of the alliance include Microsoft, McAfee, Adobe, Intel and other internet giants.
The “right to be forgotten” measure has also sparked concerns, with some arguing that it would be virtually impossible to ensure all copies of data are deleted.
Personal information covered by the European proposal would include names, photographs, email addresses, bank details, social networking posts, medical information, and various other data.
Harmonising privacy laws worldwide will not be easy.
The US government is expected to soon release its own proposals. Philip Verveer, the US coordinator for international communications and information policy, welcomed the EU plan and said the US would try to get "mutual recognition" of each initiative.
But the American proposal would offer "a somewhat different approach", Verveer said, adding that the goal was to have two "interoperable" systems to reassure citizens on both sides of the Atlantic that their data is well protected.
In an interview with Le Temps newspaper on January 30, Reding said EU proposals would probably be implemented ahead of any US measures.
“As a consequence US-based firms will be forced to adopt our data protection standard if they offer their services to European citizens. The European law will become the global standard,” she declared.
Fanti said differences in American and European attitudes towards data protection would soon disappear and the US was likely to assume a tough line.
“The trend in the US today is towards controlling personal data. Look what they just did with facebook; they told them they would control them for the next 20 years, and the US Congress want explanations about Google’s new privacy policies,” he said.
“The gap between the Europe and US will disappear and the US will become leaders in data protection; they will become more severe than us.”
The online Think Data service was created jointly by the Federal Data Protection Commissioner, canton Geneva, Geneva University, the Swiss Graduate School of Public Administration and the Geneva Technological Observatory.
It is designed to help local authorities and companies navigate their way through the legal minefield of data protection issues in the workplace. It presents various data protection case studies, questions, solutions and legal examples.
The site is available in French. Other language versions are due to be prepared soon.
European data protection
The new EU proposals are designed to bolster significantly regulators' powers on fighting data-protection breaches, requiring companies to notify regulators when data has been stolen or mishandled.
The proposals also give member states new powers to fine companies up to 1% of their global revenues for violating EU data rules.
The proposals grant broad, new rights to individuals, including a so-called "right to be forgotten" that would allow people to request that their information be erased and not disseminated online.
The rules also create a "right to data portability" to ensure that people can easily transfer their personal information between different companies or services.
The new rules come amid widespread change in how people use the internet. Social networks such as facebook and LinkedIn have attracted nearly a billion users, while so-called cloud computing services, which allow businesses and people to stock data on distant servers and access it anywhere, are going mainstream.
The EU regulation will need to be approved by national governments and the legislative process is likely to take at least two years, so the rules could still change considerably. Internet companies will not be required to comply before 2014 or 2015.