In the wake of recent cyber-attacks and data leaks, countries have increasingly enacted data localization laws aimed at limiting the cross-border flow of data and monitoring corporations and individuals (Panday 2017). These policies have certain positive economic consequences. For example, corporations that are forced to store data within a given country often must establish local offices, invest within that country, and employ native workers (Bowman 2017). On the other hand, forced data localization can result in detrimental effects to a country’s business landscape. Data localization laws can hinder corporate expansion into foreign countries. Moreover, it can cause problems for companies that have data stored around the world and must implement costly reforms that eat into their bottom line. Small businesses may struggle to alter their business model due to inadequate financial and legal resources (Bowman 2017).
The country of Switzerland is an anomaly as it relates to data security and the international cybersecurity landscape. While not a EU member or a member of the European Economic Area, Switzerland partially abides by the EU Directive on Protection of Personal Data. Specifically, Switzerland has implemented Treaty 108, which protects individuals against abuses which may accompany the collection and processing of personal data, and regulates cross-border flows on personal data (Burnier and Hofer 2017). Switzerland’s data protection is primarily shaped by two legal codes: The Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO). These codes serve as national guidelines for legal protection of data, while Swiss cantons (states) are individually responsible for data protection measures within cantonal boundaries (Isner and Schneider 2017).
However, in spite of increased data localization by other countries, Swiss data localization laws remain lenient in comparison. Switzerland has long been a haven for corporations seeking to bypass regulations and red tape, thus, it is no surprise that Switzerland data localization laws fall in line with their extensive history of laissez-faire regulations. Some may argue that Swiss data localization laws render it vulnerable to cyber attacks and data breaches. However, I argue that Swiss laws are sufficient to protect against data breaches, while encouraging business growth and innovation.
The Swiss Federal Data Protection Act and the Swiss Federal Data Protection Ordinance
The Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) primarily concern the processing of personal data. Personal data is defined as information related to an identified or identifiable person as it relates to a person’s race, politics, health, religion, sexual life, or criminal record. The processing of personal data is understood to mean “any operation with personal data, irrespective of means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data” (Mathys 2014). A person can be considered identifiable if a third party who is in possession of data on a person is capable of identifying an individual with a reasonable effort (Mathys 2014).
The DPA regulates data according to four principles: personal data can only be processed lawfully, personal data must be carried out in good faith and must be proportionate, personal data must be processed for the purpose indicated at the time of collection, and the collection of personal data and in particular the purpose of its processing must be evident to the data subject (Mathys 2014). Additionally, personal data must be accurate and be protected against unauthorized processing, which can manifest as: accidental or unauthorized destruction, accidental loss, technical faults, forgery, theft, alteration, or unauthorized access (Mathys 2014). These laws apply to private persons, legal entities, and federal governmental bodies as data controllers.
The Federal Data Protection and Information Commissioner (FDPIC) is tasked with enforcing data protection statutes and is the highest authority in the protection of data in Switzerland (Mathys 2014). Other statutes that govern data protection and processing are: the Swiss Federal Code of Operations, Ordinance 3 of the Swiss Federal Employment Act, the Swiss Federal Telecommunications Act, the Swiss Federal Banking Act, the Swiss Federal Stock Exchange and Security Dealers Act, the Swiss Federal Act on Financial Market infrastructures, and various other acts relating to telecommunications, banking, healthcare, and human rights (Morscher and Rusterholz 2017). All together, these laws and institutions provide comprehensive security measures for Swiss citizens and foreign bodies storing data in Switzerland without compromising economic growth.
An Uneven Data Protection Landscape
The 26 cantons of Switzerland are permitted to establish their own data protection laws, as well as appoint their own data authorities for the supervision of data processing (Morsher and Rusterholz 2017). This has resulted in a varied data security landscape. The economic and structural differences between cantons compound these variations. While cantons rely on the support of the federal government in protecting against cybersecurity threats to data, individual cantons maintain their own respective critical infrastructures, running the organizational, control, and security structures (Enisa 2012). However, some cantons lack the capability of providing adequate date protection in their jurisdiction, and, thus, delegate this responsibility to third parties (Enisa 2012). Foreign companies are currently barred from working with Swiss critical infrastructure after the Swiss government outlawed foreign interference in critical infrastructure in 2014 (Beer 2014).
In any case, the varied levels of data protection from canton to canton render the Swiss nation a patchwork of differing data capabilities. The ability of cantons to establish their own data localization laws results in a liberal data landscape in which cantons can individualize regulations to the specifications of industries within cantonal boundaries.
Law Regulating the Flow of Cross-Border Data
Switzerland has no overt data localization statutes and there are no requirements to store data within Swiss borders (Beer 2017). However, there are various laws regulating the flow of cross-border of data. There are also some exceptions pertaining to high-risk banking and financial information.
Personally identifiable information may only be transferred outside of Switzerland if its destination adequately protects against cyber-threats (Chuffart-Finsterwald 2016). Data is considered adequately protected if it is safeguarded against unauthorized processing (Chuffart-Finsterwald 2016). In the absence of legislation that guarantees adequate protection of personal data, consent by the data subject may substitute to legalize the data transfer if it is given voluntarily and on the provision of accurate information (Chuffart-Finsterwald 2016). Additionally, any data processor that regularly transfers data to third parties are obligated to assure the FDPIC of adequate date safeguards at the data’s destination (Chuffart-Finsterwald 2016).
The FDPIC has the final word on whether a cross-border data transfer is lawful. Failure to abide by the FDPIC’s order can result in fines of up to 10,000 Francs (Chuffart-Finsterwald 2016). Overall, the statutes concern data localization in Switzerland are rather vague and leave room for interpretation, especially in regard to adequately protected data. The vagueness of Swiss data protection laws is beneficial to corporations. While corporations are held to a high standard of ensuring that their data is protected, their ability liberally interpret Swiss data laws allows them to function without the headaches associated with strict data laws.
To conclude, the Swiss cyber landscape is a complex patchwork of overlapping laws and regulations. These laws ensure the protection of data within Swiss borders without infringing on corporate freedom through restrictive data localization regulations. The DPO, DPA, and FDPIC, in collaboration with various other laws function to encourage business innovation and growth without detracting from international business development or stymying small businesses. Moreover, the freedom of cantons to tailor their data localization laws results in a liberal environment in which cantons are not forced to abide by stringent data localization laws.
Mathys, Roland. “Data Protection in Switzerland: An Overview.” Www.swegal.ch, Schellenburg Wittmer Ltd, 1 Aug. 2014.