Switzerland has a comprehensive legal framework and benefits from the adequacy decision from the EU Commission. While the Federal law regulates the collection and processing of data by federal authorities, cantonal laws govern the activities of cantonal and communal authorities.

Swiss Federal Data Protection Act (DPA)

• Status: in force since 1 July 1993 – under complete revision.
• Applies to, and protects, processing of data relating to private persons (individuals AND organizations) and federal bodies (not cantonal bodies) in Switzerland.
• Revision of this law is under discussion at the Federal Parliament. There is no plan to have a updated framework entering into force before 2019-2020.

Swiss Federal Ordinance on the Data Protection Act

• In force since 1 July 1993.
• Supplements the Swiss DPA and provides some clarifications on certain rights and obligations (such as access rights, internal data protection counselors, declaration of files to the Commissioner, what appropriate and technical organizational measures could mean, etc.)

Ordinance on Data Protection Certification

• This ordinance governs how organizations delivering certifications according to article 11 of the Swiss DPA must be accredited.

In Switzerland, other laws relate to privacy or protect the personality of private persons. This page has no aim to list all of them, as each of them concern a certain type of matter (e.g.: civil code for the protection of personality, code of obligations for the protection of employees, criminal code for prohibiting certain types of behaviours, etc.).

To go further, you can access sectoral laws (not all are accessible in English) relating to data protection on this page, section 235 | on surveillance measures on this page, section 780. Other provisions covers legal aspects of privacy in areas such as the Swiss Criminal Code (for professional or official secrecy), employment law (protection of employee), banking law, health law, social security and unfair competition law

Cybersecurity

Sorry, Switzerland prefers to wait and see.  A Federal bill on  information security with regard to public bodies, is under discussion, but was just rejected on 13 March  2018 by the lower Chamber of the Swiss Federal Parliament.

Access MELANI’s portal: the website of the Swiss Federal Reporting and Analysis Centre for Information Assurance, which delivers reports on cyber incidents, among other tasks.

Directive 95/46/EC

• In force since 24 October 1995. This Directive will be replaced by the GDPR as of 25 May 2018.

EU General Data Protection Regulation

• The General Data Protection Regulation (also called the “GDPR” or “Regulation (EU) 2016/679“) was approved by the EU Parliament on 14 April 2016.
• Enforcement date: 25 May 2018. This Regulation applies to any controller or processors around the world that fall within the material scope (article 2) and the territorial scope (article 3).
• Information about the sanction regime.
• You may find other legal ressources relating to the GDPR on this page.

EU ePrivacy Directive 

• As a complement, and a lex specialis to Directive 95/46/EC (replaced by the GDPR as of 25 Ma 2018), the e-Privacy Directive (also called “Cookie Directive” or “Directive 2002/58/EC“) applies to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community (article 3).

EU ePrivacy Regulation (draft proposal September 2018)

• This regulation seeks to replace Directive 2002/58/EC – the Cookie Directive to supplement the GDPR.
• As a Regulation, which would be directly applicable to all Member States.
• As a lex specialis to the GDPR, the ePrivacy Regulation will not only supplement, but also supersedes any provision of the GDPR that may conflict with it. See Phil Lee’s article about difficulties and articulations with regard to consent between the GDPR and the ePrivacy Regulation.
• More general information here about the reform of the ePrivacy framework.

e-Evidence Regulation (proposal):

• The European Commission issued a proposal of a new Regulation on “cross-border access to and preservation of electronic data held by service providers“, to fight against (-cyber) crime.
• Along with another law requiring service providers to have an EU representative (such as art. 27 GDPR), the Regulation would give power to force companies to turn over information (such as emails, sms, photos, etc., within 10 days — or as little as six hours when there is “imminent threat to life or physical integrity of a person or to a critical infrastructure” — for investigation of crimes carrying a minimum jail sentence of three years.

NIS Directive on cybersecurity

• Directive (EU) 2016/1148 (also called the ‘NIS Directive‘) seeks to harmonize a highest standard of security within the EU, in particular with the emergence of IoT. The Directive promotes a culture of risk management, by introducing security requirements as legal obligations for the key economic actors, notably operators providing essential services (Operators of Essential Services – OES) and suppliers of some key digital services.
•  In force since 6 August 2016. This Directive gives 2 following deadlines to Member States:
  • until 9 May 2018 to implement the text into their national laws; and
  • until 9 November 2018 to identify operators of essential services.
• Draft Regulation proposal on the ENISA (EU Agency for Netwrok and Information Security), which is under discussion within the EU Parliament.

United States of America only have sectoral laws (in contrast with comprehensive laws), which means that the scope of the US privacy framework do not cover all organizations or all topics. Generally speaking, the US cybersecurity framework is very well developed, where many States have implemented laws and provisions relating to data security, breach notification and remedies. Below you can find some sectoral federal laws:

FTC Act 

• Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act) is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies

Financial Services Modernization Act

• Also called the Gramm-Leach-Bliley Act (GLB), it regulates the collection, use and disclosure of financial information and can apply to businesses that provide financial services and products (banks, securities firms and insurance companies, etc.).

HIPAA

• Health Insurance Portability and Accountability Act regulates medical information.
• It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information and regulates transfer of medical data.

Other laws relate to information protection, such as HIPAA Omnibus Rule (notice of a breach of protected health information), Fair Credit Reporting Act, Electronic Communications Privacy Act and Computer Fraud and Abuse Act are regulating the interception of electronic communications and computer tampering, Judicial Redress Act, giving citizens of certain ally nations  the right to seek redress in US courts for privacy violations when their personal information is shared with law enforcement agencies.

US NIST Framework

• The US NIST framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.

• Cybersecurity
• Digital Health Criteria
• Guidances with Digital Health Content
• Health IT Risk-Based Framework
• Medical Device Interoperability
• Software as a Medical Device (SaMD)
• Mobile Medical Applications
• Wireless Medical Devices
• Digital Health Software
• Precertification (Pre-Cert) Program

This section is under construction.

This section is under construction.