Cette page est en cours de traduction et finalisation et sera bientôt disponible en français !
PROTECTION DES DONNÉES ET CYBERSÉCURITÉ
Voici les textes législatifs les plus importants en lien avec la protection des données, la santé et les technologies.
Le droit suisse comporte un cadre légal complet sur la protection des données et fait l’objet d’une décision d’adéquation de la Commission européenne étant ainsi considérée comme pays tiers offrant un niveau de protection adéquat. La LPD couvre les données personnelles traitées par les autorités fédérales et personnes privées, alors que 26 lois cantonales organisent cette matière pour le traitement opéré par les autorités cantonales et communales.
Loi fédérale sur la protection des données (LPD)
- Statut : en vigueur depuis le 1er juillet 1993 – en cours de révision complète.
- S’applique au traitement de données concernant des personnes physiques et morales effectué par des personnes privées et des organes fédéraux.
- Discussions en cours au sein du Parlement fédéral. Aucune indication que cette loi n’entre en vigueur avant 2019-2020.
Révision de la LPD (projet en cours de révision)
La loi fédérale sur la protection des données est en cours de refonte complète afin de s’aligner sur les nouvelles règles européennes, notamment sur le Règlement Général sur la Protection des Données (RGPD). La dernière version du projet de révision est accessible ici. Selon les discussions au sein du Parlement fédéral, aucune date d’entrée en vigueur n’a été communiquée. En l’état actuel, le projet de révision de la LPD comportera quelques particularités suisses et différences avec les règles européennes.
Ordonnance fédérale sur la protection des données (OLPD)
- En vigueur depuis le 1er juillet 1993.
- Complète la LPD et clarifie certains droits et obligations (tels que les droits d’accès, les conseillers internes à la protection des données, la manière de déclarer les données au Préposé fédéral, quelles sont les moyens et mesures techniques et organisationnelles pour protéger les données, etc.).
Ordonnance sur la certification en matière de protection des données
- Cette ordonnance régit le cadre légal des organisations qui délivrent des certifications conformément à l’article 11 LPD et comment ces organismes peuvent bénéficier d’une accréditation.
En Suisse, d’autres lois sectorielles traitent de la protection des données personnelles et la protection de la personnalité des personnes privées dans des contextes particuliers. Ces dispositions légales sont contenues en général dans les textes suivants : code civil (protection de la personnalité et liberté de la presse), code des obligations avec la protection de la personnalité des employés, code pénal qui prohibe certains comportement (vol de données, enregistrement de données sans consentement, etc.).
Sur cette page, au paragraphe 235, une liste plus détaillée contient plus de précisions sur les dispositions légales traitant des données personnelles. | S’agissant des mesures de surveillance, plus de détails sont accessibles au paragraphe 780 de cette page. D’autres articles de loi sont contenus dans le code pénal (sur la violation du secret professional), droit du travail (protection des employés), droit bancaire, droit médical et droit de la santé, droit des assurances sociales et en droit de la concurrence déloyale.
Cybersécurité
Sorry, Switzerland prefers to wait and see. A Federal bill on information security with regard to public bodies, is under discussion, but was rejected on 13 March 2018 by the lower Chamber of the Swiss Federal Parliament. La révision de la loi fédérale sur la protection des données comportera quelques règles sur les obligations de notification en cas d’incident de sécurité en matière de protection des données.
Access MELANI’s portal: the website of the Swiss Federal Reporting and Analysis Centre for Information Assurance, which delivers reports on cyber incidents, among other tasks.
Directive 95/46/EC
- In force since 24 October 1995. This Directive will be replaced by the GDPR as of 25 May 2018.
EU General Data Protection Regulation
- The General Data Protection Regulation (also called the “GDPR” or “Regulation (EU) 2016/679“) was approved by the EU Parliament on 14 April 2016.
- Enforcement date: 25 May 2018. This Regulation applies to any controller or processors around the world that fall within the material scope (article 2) and the territorial scope (article 3).
- Information about the sanction regime.
- You may find other legal ressources relating to the GDPR on this page.
EU ePrivacy Directive
- As a complement, and a lex specialis to Directive 95/46/EC (replaced by the GDPR as of 25 Ma 2018), the e-Privacy Directive (also called “Cookie Directive” or “Directive 2002/58/EC“) applies to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community (article 3).
EU ePrivacy Regulation (draft proposal)
- This regulation seeks to replace Directive 2002/58/EC – the Cookie Directive to supplement the GDPR.
- As a Regulation, which would be directly applicable to all Member States.
- As a lex specialis to the GDPR, the ePrivacy Regulation will not only supplement, but also supersedes any provision of the GDPR that may conflict with it. See Phil Lee’s article about difficulties and articulations with regard to consent between the GDPR and the ePrivacy Regulation.
- More general information here about the reform of the ePrivacy framework.
e-Evidence Regulation (proposal):
- The European Commission issued a proposal of a new Regulation on “cross-border access to and preservation of electronic data held by service providers“, to fight against (-cyber) crime.
- Along with another law requiring service providers to have an EU representative (such as art. 27 GDPR), the Regulation would give power to force companies to turn over information (such as emails, sms, photos, etc., within 10 days — or as little as six hours when there is “imminent threat to life or physical integrity of a person or to a critical infrastructure” — for investigation of crimes carrying a minimum jail sentence of three years.
NIS Directive on cybersecurity
- Directive (EU) 2016/1148 (also called the ‘NIS Directive‘) seeks to harmonize a highest standard of security within the EU, in particular with the emergence of IoT. The Directive promotes a culture of risk management, by introducing security requirements as legal obligations for the key economic actors, notably operators providing essential services (Operators of Essential Services – OES) and suppliers of some key digital services.
- In force since 6 August 2016. This Directive gives 2 following deadlines to Member States:
- until 9 May 2018 to implement the text into their national laws; and
- until 9 November 2018 to identify operators of essential services.
- Draft Regulation proposal on the ENISA (EU Agency for Netwrok and Information Security), which is under discussion within the EU Parliament.
United States of America only have sectoral laws (in contrast with comprehensive laws), which means that the scope of the US privacy framework do not cover all organizations or all topics. Generally speaking, the US cybersecurity framework is very well developed, where many States have implemented laws and provisions relating to data security, breach notification and remedies. Below you can find some sectoral federal laws:
FTC Act
- Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act) is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies
Financial Services Modernization Act
- Also called the Gramm-Leach-Bliley Act (GLB), it regulates the collection, use and disclosure of financial information and can apply to businesses that provide financial services and products (banks, securities firms and insurance companies, etc.).
HIPAA
- Health Insurance Portability and Accountability Act regulates medical information.
- It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information and regulates transfer of medical data.
Other laws relate to information protection, such as HIPAA Omnibus Rule (notice of a breach of protected health information), Fair Credit Reporting Act, Electronic Communications Privacy Act and Computer Fraud and Abuse Act are regulating the interception of electronic communications and computer tampering, Judicial Redress Act, giving citizens of certain ally nations the right to seek redress in US courts for privacy violations when their personal information is shared with law enforcement agencies.
US NIST Framework
- The US NIST framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.
eHealth, medical devices and life sciences
USA
The USA have the most comprehensive and mature legal framework and guidance documents relating to digital health compared to other countries. It would be unrealistic to list them all, so you will find here some links to hot topics related to digital health and technologies in the context of health.
Europe
Europe has an harmonized legislative framework and common standards relating to health. With no central agency handling drugs and medical devices, each EU country has its own health-related regulatory agency and, therefore, different approaches.
This section is under construction.
Switzerland
The Swiss framework is based on the EU framework. Some EU text are even copied into some Swiss laws or referenced as being directly applicable in Switzerland. Swissmedic is the health regulatory authority responsible for drugs and medical devices market access.
This section is under construction.