SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
company that complies with the GDPR should generally be in compliance with the FADP (with some exceptions and caveats). Moreover, revis - ing the FADP has been a key factor in the Euro - pean Commission’s confirmation on 15 January 2024 of its finding that Switzerland’s data pro - tection legislation provides an adequate level of data protection under the GDPR. For data processing in relation to criminal pros - ecution, and in the framework of police and judicial co-operation, Switzerland transposed, on 30 January 2019, EU Directive 2016/680 into domestic Swiss legislation through the FADP. It expedited the adoption of this piece of legis - lation, with the relevant changes entering into force on 1 March 2019. The most important developments are the entry into force of the FADP on 1 September 2023 and the new ISA (see 1.1 Overview of Data and Privacy-Related Laws ). The Swiss government’s efforts to bolster and centralise cybersecurity and cyberdefence activ - ities are also a promising and ongoing devel - opment. In that respect, many commentators have been sounding the alarm as it appears that Swiss companies as well as public bodies (often on the municipal level) have not been tak - ing cyberthreats seriously enough – a concern only exacerbated by the Xplain and Concevis attacks (see the Swiss Trends & Developments chapter in this guide and 1.4 Data Protection Fines in Practice ). Public attention remains high. This stems from the stream of data breaches, locally and inter - nationally, and the increased awareness of data protection worldwide, but also from some cyber - security considerations affecting national secu - rity. In this latter category, the war in Ukraine and
the international geopolitical situation, combined with the roll-out of next-generation technologies, especially 5G networks, have led to a height - ened awareness of cyberthreats. It is still too early to foresee the long-term conse - quences of cyberthreats for the Swiss legal and regulatory landscape, though they will likely lead to questioning of Switzerland’s international pol - icy in regard to cybersecurity, cyber-espionage and international co-operation. Another major topic is the issue of cyber-attacks in Switzerland. In recent years, the number of cyber-attacks on the infrastructure of Swiss companies in Switzerland have increased sig - nificantly. This worrisome trend has also shown the relative exposure of many Swiss companies, of all sizes, as well as public bodies, and is an alarming reminder of the ubiquity and damaging nature of cyberthreats. In December 2022, the Federal Council submit - ted a draft bill to Swiss Parliament to amend the Federal ISA. This draft creates a legal basis for the obligation of operators of critical infrastruc - tures to report cyber-attacks to which they have been subjected. The term “critical infrastructure” does not only include energy supply companies, hospitals, civil aviation and telecommunications providers – universities, authorities at all federal levels, banks, insurance companies and finan - cial market infrastructure may also fall within the scope. The revised regulation will enter into force on 1 April of 2025. As mentioned in 1.1 Overview of Data and Pri- vacy-Related Laws , Switzerland is a member of neither the EU nor the EEA, and it therefore has no obligation to implement the GDPR. Swit - zerland is recognised by the EU as providing an adequate level of data protection. This was
424 CHAMBERS.COM
Powered by FlippingBook