SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
attacks against service providers and the need for financial institutions to improve their respon - sibilities and control activities with regard to ser - vice providers. FINMA has also updated its Circular 2023/1 Operational Risks and Resilience – Banks, with the updates coming into force on 1 January 2024. It requires banks and investment firms to report certain cyber-attacks within 24 hours of becoming aware of them and to submit a full report within 72 hours. FINMA has recently clarified in its Guidance 03/2024 that, where a third-party provider is affected by a reportable incident, the 24-hour deadline starts with the provider becoming aware of the incident, requir - ing banks to agree shorter notification periods with their providers. In case of a breach of the sectoral rules, FINMA has a varied toolbox of enforcement means. These include the revocation of licences to prac - tise, fines or even custodial sentences. FINMA also occasionally, and for preventative purposes, relies on a “name and shame” strategy, meaning that the author of any offence against the regula - tory rules is publicly named. 1.4 Data Protection Fines in Practice As noted in the foregoing, the revised FADP introduces stricter enforcement mechanisms than its older version. Unlike the EU’s GDPR, the FADP focuses on holding individuals person - ally accountable. Criminal law fines for inten - tional violations can reach up to CHF250,000 and apply to individuals with decision-making authority. Key infractions include failing to pro - vide required information to data subjects, non - cooperation with investigations by the FDPIC, unauthorised cross-border data transfers and breaches of confidentiality obligations. However, negligence is not punishable, and some viola -
tions like failing to report data breaches do not attract fines. Enforcement typically requires a complaint from an affected individual. However, the FDPIC has become more active in investigating potential violations of the FADP. For example, in May 2023, a ransomware attack on the company Xplain led to the publication of a significant volume of personal data, including sensitive information from the federal adminis- tration, on the darknet. Following this breach, the FDPIC initiated investigations into the Feder - al Office of Police (fedpol) and the Federal Office for Customs and Border Security (FOCBS), and into Xplain itself. Other prominent investigations under the old FADP included Digitec Galaxus, one of Switzerland’s largest online retailers, for customer accounts and personalised ads, and TX and Ricardo, a major Swiss media company and the Swiss equivalent of eBay, for tracking and personalised ads. These investigations resulted in non-binding recommendations under the then-current FADP. Under the current FADP, several investigations have concluded or are ongoing, but – so far and to the extent known – without broader impact. 1.5 AI Regulation In Switzerland, there is currently no overarching regulation of the use of AI. The FDPIC has published multiple statements and non-binding guidelines on how to address data protection matters in this area. In this con - text, the FDPIC pointed out that the Data Pro - tection Act, in force since 1 September 2023, is directly applicable to AI-based data processing. Further, sector-specific regulations address par - ticular data protection issues. For example, the Swiss government has also created a general
421 CHAMBERS.COM
Powered by FlippingBook