The countdown is on: one year to get ready for the EU General Data Protection Regulation GDPR

On 25 May 2016 the EU General Data Protection Regulation (GDPR) entered into force. After the elapse of the 2-year transposition period, it will become directly applicable on 25 May 2018.

The new EU data protection legislation introduces substantial changes for companies dealing with personal data: As a selection, the new requirements on transparency, on proportionality as well as on documentation when processing personal data are among the key changes. These are significant challenges for companies. In addition, the new legislation substantially improves the rights of the concerned individuals – the data subjects. Thanks to the GDPR, they now have clear-cut rights with regard to companies processing their data. Inter alia the key rights include the right on information, on rectification and deletion of personal data, on restriction of processing, on portability as well as the right to object processing. As data controllers, companies have to be able to comply with all these rights.

Besides new duties and compliance obligations for companies, data protection authorities are given new competences and enforcement instruments. Standing out are the new sanctions of up to the amount of EUR 20m or 4% of the international annual turnover of the concerned company, whichever is higher.

Recommendation

Swiss companies that (e.g. because they do business in the EU) are subject to the GDPR now have one year to make the necessary adaptions to comply with the GDPR. The new requirements are to be analyzed, gaps to be identified and mitigation actions to be planned and implemented. It is important to be prepared.

Contacts:

Susanne Hofmann
Legal Compliance Leader
+41 58 792 17 12
Email

Michael Adrian Meyer
Legal Services – Senior Manager
+41 58 792 51 31
Email

Reto Häni
Partner and Leader Cybersecurity
+41 58 792 75 12
Email

Idir Laurent Khiar
Legal Services – Assistant Manager
+41 58 792 17 51
Email

Swiss-US Privacy Shield: New Framework for the Transfer of Data to the USA

The so-called Swiss-US Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA. The agreement establishes a new regulatory framework for the transmission of personal data from Switzerland to certified companies domiciled in the US. The same standards will apply for Swiss transfers of personal data to the USA as for data transfers from the EU.

Swiss data protection legislation stipulates specific requirements for the transfer of personal data abroad. They protect the personality and the rights of the data subjects concerned. However, the US is not deemed to provide an adequate level of data protection in terms of Swiss law. Swiss companies therefore have to take specific measures to safeguard personal data when it is transferred to the US.

Until recently, Swiss companies could rely on the Swiss-US Safe Harbor Agreement. After the Court of Justice of the European Union declared the EU-US Safe Harbor Agreement invalid, the Swiss Federal Data Protection and Information Commissioner (FDPIC) put the Swiss-EU Safe Harbor Agreement into question.

In August 2016, the EU and USA put into place a successor agreement, the EU-US Privacy Shield. Switzerland also entered into negotiations with the USA, which resulted in the Swiss-US Privacy Shield.

Enhancing the Application of Data Protection Principles, New Tasks for the FDPIC
The agreement is expected to substantially improve the position of those concerned by personal data transfers. The application of data protection principles by participant companies should be enhanced, as should the management and supervision of the framework by the US authorities. Cooperation between the US Department of Commerce (DOC) and the Federal Data Protection and Information Commissioner (FDPIC) should be intensified. The persons concerned are being given specific instruments to enable them to find out about data processing directly from certified US companies or the competent authorities, and to ensure that any required corrections or deletions are made. For example, the FDPIC will act as a point of contact for persons in Switzerland in the event of any problems in connection with the transfer of data.

Same Conditions as in the EU for the Transmission of Personal Data to the US
The new regulatory framework corresponds to the solution adopted by the USA and the EU and implemented within the European Economic Area (EEA) – the EU-US Privacy Shield. The similarity is highly significant, as it guarantees the same framework conditions for persons and businesses in Switzerland and the EU/EEA area in relation to transatlantic data flows. The same standards therefore apply for Swiss personal data transfers to the USA as for data transfers from the EU. This increases legal certainty in commercial transactions and reduces additional costs for the economy.

Need for Action for Companies
US companies can start the certification process with the DOC three months after the finalization of the agreement. Interested US companies are advised to obtain a Privacy Shield Certificate from the DOC. Swiss companies should make sure that their US partners possess such a certificate. These conditions are essential for Swiss companies to submit personal data to the US without requiring additional contractual guarantees. Furthermore, companies should review their current contractual basis for data transfers to the US and adapt it to the Swiss-US Privacy Shield where required.

New Swiss Federal Data Protection Act

Just before Christmas, the Federal Council published the preliminary draft for the revision of the Swiss Federal Data Protection Act (FDPA). The revision’s focus is to strengthen data protection and the individual rights of citizens. At the same time, developments at European level are taken into account, in particular the recently adopted General Data Protection Regulation (GDPR) of the European Union and the Data Protection Convention of the Council of Europe (ETS 108).

Read more…

 

Contacts:

Susanne Hofmann-Hafner
Leader Legal Compliance
susanne.hofmann@ch.pwc.com
+41 58 792 17 12

Michael Adrian Meyer
Data Protection specialist
michael.adrian.meyer@ch.pwc.com
+41 58 792 51 31

Marco Schurtenberger
Risk Assurance & Cyber security specialist
marco.schurtenberger@ch.pwc.com
+41 58 792 22 33

Data privacy in the EU: What is the latest news?

The EU/US Privacy Shield is formally adopted

More than nine months after the Court of Justice of the European Union invalidated Safe Harbor the EU/US Privacy Shield is approved. From 1 August 2016 onward European companies seeking to transfer data to the United States will be able to self-certify to the Privacy Shield programme.

What are the main differences?

The Privacy Shield contains detailed requirements for US organisations to safeguard EU residents’ personal data. To join the programme, US organisation must meet four requirements: (i) the organisation must fall under the enforcement authority of the Federal Trade Commission (FTC) or another US agency that can assure compliance; (ii) it must publish its commitment to comply with the Privacy Shield Principles; (iii) it must publicly disclose its data protection policy; and (iv) it must implement the Principles. Most of the Privacy Shield Principles were already included into the Safe Harbor framework. However, some of the Principles have been enhanced, making the Privacy Shield stronger than Safe Harbor. Relevant differences of the Privacy Shield to the former Safe Harbor are e.g.:

  • stronger obligations for US companies to protect the transferred personal data (e.g. data integrity and purpose limitation principle, accountability for onwards transfer principle) including stronger monitoring by the US Department of Commerce and FTC whether companies are fulfilling the obligations,
  • written commitments by the United States to prevent generalised access to personal data, and
  • the formation of an office of ombudsman in the United States who will handle and solve complaints raised by affected EU individuals.

The Privacy Shield produces many critics mainly stating that the programme is not able to protect the transferred personal data from the United States government’s mass surveillance, which was one of the reasons of the European Court of Justice to invalidate Safe Harbor. One of the new additions includes in fact an authority (ombudsman) to handle any claims by EU citizens over surveillance or data privacy abuse. But criticizers of Privacy Shield consider these new provisions as not addressing the surveillance in any significant way. Thus, there is a chance the Privacy Shield programme will endure the same fate as the Safe Harbor framework.

Further developments

Schrems vs Facebook – take 2

Ireland’s data protection commissioner announced in May 2016 that they will continue to investigate Max Schrems’ complaint as to whether the EU Standard Contractual Clauses remain a valid data transfer mechanism to the United States. Thus, the commissioner’s intention is to seek declaratory relief in the Irish High Court and a referral to the European Court of Justice to determine the legal status of data transfers under Standard Contractual Clauses.

“Microsoft Ireland case”

Recently, Microsoft won a legal case, where the United States Court of Appeals has ruled that Microsoft cannot be forced by the United States government to hand over emails stored on Microsoft servers outside the United States. Thus, the data stored in Microsoft’s EU data centre in Ireland are safe from a search warrant issued under the Stored Communications Act (SCA).

Conclusion

The EU/US Privacy Shield can be used in the EU as a legal basis to transfer personal data to the United States beginning from this August 2016. However, it is recommended to monitor the development in the data protection area by affected companies, since the Privacy Shield might be ruled invalid as well and even the future of Standard Contractual Clauses remains unclear.

What does it mean for Switzerland?

Many Swiss organisations are reliant on transferring personal data to the United States. With the EU/US Privacy Shield the data protection level for transatlantic data transfers is improved, so it is desirable that Switzerland and the United States come to an agreement about a successor of the Safe Harbor framework comparable to the Privacy Shield. It is expected that the Swiss authorities will negotiate a similar programme covering the data transfer between Switzerland and the United States in the near future.

Contacts:

Susanne Hofmann, Legal Compliance Leader Switzerland, susanne.hofmann@ch.pwc.com, +41 58 792 17 12

Marco Schurtenberger, Specialist Cyber security & IT compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

Data Protection: EU Data Protection Law Has Changed

In May 2016 the official texts of the General Data Protection Regulation (“GDPR”) have been published in the EU Official Journal in all the official languages. The GDPR entered into force on 24 May 2016 and it shall apply from 25 May 2018.

The GDPR will replace the currently still applicable EU data protection directive 95/46/EC and is imposing a much tougher data protection regulatory framework across the EU on the processing of personal data.

Please see our short flyer on the GDPR essentials, which is outlining the most crucial changes and innovations of the new regulation.

Who is affected?

The GDPR is impacting lots of different entities based on its defined scope – even entities outside of the EU territory. In fact, GDPR is applicable to

  • all companies, organisations, etc. of controllers or processors in the EU if they are processing personal data, and
  • all controllers or processors based outside the EU who are targeting, offering or selling goods or services to persons in the EU. It also applies to controllers/processors who are monitoring the behaviour of persons within the EU.

Thus, based on the second point above, organisations based in Switzerland will also have to comply with the GDPR provisions.

Conclusion:

We recommend to early assess whether and how you are affected by the upcoming GDPR. If the territorial scope is applicable to your company, initiate an analysis of your data flows and types, processing purposes, and processing operations and take a risk-based approach to appropriately close gaps to get compliant with the GDPR.

PwC can support you in different stages of your “GDPR Compliance Journey”. For example, PwC developed a Readiness Assessment Tool (short “R.A.T.”) which consists of approximately 60 key questions with pre-populated answers linked to a maturity matrix. In a R.A.T. session we will guide you and the relevant key stakeholders (e.g. Legal, Compliance, IT, Data Protection Officer, etc.) through the questionnaire. With the interview we will obtain an understanding of your current level of readiness to comply with the new GDPR requirements. The result will then be a risk-weighted report about your GDPR maturity. See also our flyer on R.A.T.

Contacts:

Susanne Hofmann, Legal Compliance Leader Switzerland, susanne.hofmann@ch.pwc.com, +41 58 792 17 12

Marco Schurtenberger, Specialist Cyber security & IT compliance, marco.schurtenberger@ch.pwc.com, +41 58 792 22 33

New European General Data Protection Regulation (GDPR) published

The European General Data Protection Regulation (GDPR) has been published in EU’s Official Journal today.

What does this mean

This means that the GDPR will be fully applicable in all EU member states with effect from May 25, 2018 and compliance with GDPR is mandatory for

  • all establishments of controllers or processor (companies, organisations, etc) in the EU, if they are processing personal data, and
  • all controllers or processors based outside the EU who are targeting, offering or selling goods or services to persons in the EU. It also applies to controllers / processors who are monitoring the behaviour of persons within the EU.

Organisations based in Switzerland will also have to comply with the provisions of the GDPR if they are processing the personal data of individuals in the EU. Becoming compliant is important for organisations impacted, as the GDPR empowers data subject’s rights and those of data protection authorities, who will have more powers to oversee compliance with the GDPR. Significant fines and sanctions could be imposed in cases of non-compliance. Many organisations will need to start planning their compliance activities now to ensure that they have enough time to become compliant.

How can we help?

Schedule one hour with one of our privacy experts below to undertake our GDPR Readiness Assessment using our interactive survey.

Webinar in June 2016

We would like to invite you to join a Webinar on Data Protection we are planning for June 2016. Please click here to register. In this Webinar we will inform you about the latest developments around the GDPR and related matters such as the EU/US Privacy Shield. We will also give an overview where we see potentially the biggest gaps compared to the current data protection laws .

Contacts

If you have any questions, please do not hesitate to get in contact with us:

Susanne Hofmann 
Head of Legal Compliance

Marco Schurtenberger
Specialist Cyber Security & IT Compliance

Webinar: Data Protection – Recent and upcoming changes

Webinar – Tuesday, 26 January 2016

Right to be forgotten, data portability, data privacy by design and default, expanded enforcement powers and high sanctions risks, transparency,…

All these measures are intensely discussed in the data protection area and it is expected that future data protection regulations will made them mandatory.

In our webinar we would like to give you an overview of recent and upcoming data protection changes in Switzerland and EU. Starting from the recent Safe Harbor cancellation (a.k.a. Schrem’s Facebook sentence), to the draft of EU’s General Data Protection Regulation (GDPR), and the ongoing revision of Swiss Federal Data Protection Act we give you an update and outlook what they mean, what they intend to change and what the possible impact is for Swiss companies.

In addition we present you a brief overview what the 2016 expected EU Cybersecurity directive is and who will be affected of.

These and other questions will be addressed during our webinar, which we cordially invite you to join. The webinar will be recorded and made available afterwards on our website.

Registration

There is no fee for attendance. Please register here via the online registration site. Once registered, you will receive a confirmation notice with complete webcast access instructions.

Date

Tuesday, 26 January 2016

Time

4.00 – 5.00 pm

PwC is looking forward to welcoming you online. Register now!

General Data Protection Regulation GDPR

The European Union (“EU”) has now adopted the General Data Protection Regulation (“GDPR”). A “strong compromise” was reached over how to ensure a high level of data protection across the EU. It was agreed by the EU Parliament and Council on December 15, 2015

The GDPR will impose a radical, much tougher data protection regulatory framework across the EU over the processing of personal data. Every EU-based “controller” or “processor” of personal data will be regulated, as will be every controller based outside the EU that targets or sells goods or services to, or stores and uses personal data of people living in the EU. This means that also companies based in Switzerland will have to comply with the provisions of the GDPR when processing the personal data of people living in the EU.

The big innovations in the GDPR

The adoption of the GDPR will present many entities everywhere with numerous new challenges. Key issues to be aware of include:

Compliance
Strict new compliance requirements will be imposed. For example, entities will have to perform “Privacy Impact Assessments”, conduct privacy audits and also have to implement “Privacy by Design” methodologies into their business processes.

Usage controls
Personal data will be subject to strict new usage controls (including “data minimisation”, “data portability” and the “right to be forgotten” principles).

Consent
Obtaining consent to use personal data will be much harder to achieve and to prove.

Bundling
The provision of a service that is conditional upon the individual giving permission for their data to be used for non-essential purposes (such as marketing) will be prohibited.

Aggregation
The ability to aggregate data to enable an individual to be profiled will be severely reduced.

Supervision
Regulators will also be empowered to carry out audits and inspections of entities on demand.

Breach disclosure
Entities will be required to report serious contraventions of the law to the regulators and to people affected.

Fines
Depending upon the final version of the regulation, serious violations of these new requirements will be punishable by fines of up to either 2% or 5% of group annual worldwide turnover.

Litigation
Citizens and pressure groups will be given the right to engage in group litigation (“class actions”) to recover compensation, even for any distress caused by breaches of the law.

Therefore, the EU GDPR raises countless compliance issues. It would be very easy to “get lost” in so much detail. Work will need to be done to understand the impact on each organisation, and to prioritise the compliance effort.

How PwC can help you

As a multi-disciplinary practice, we are uniquely placed to help you adjust to the new regulatory environment. Our global data protection team includes lawyers, consultants, auditors, technical risk specialists, forensics experts and strategists.

Save the date

We are holding a Webinar on Tuesday 26 January 2016 4pm, during which we will update you with our latest thinking on the GDPR, and talk about the impact of the new requirements for data protection and what this means for Swiss business. We are looking forward to discussing this topic with you. An invitation will be included in the January Newsletter.

Please click here to register for the Webinar.

For more information on the subject of data protection, please refer to the article Safe Harbor: stormy seas in Europe – impending storm in Switzerland?