Hardly a day goes by without bad news in the media about data leaks or new security vulnerabilities, as was the case recently with tech giant Microsoft. This makes it all the more important for policymakers to take concrete countermeasures to protect those affected, ensure transparent communication and guarantee legal certainty for all stakeholders. Switzerland has now taken a large and important step in this direction. With the new Data Protection Act (nDSG), the Alpine country not only brings its legislation up to the level of the EU GDPR, but will also see positive aspects in two key areas.
Firstly, in the government sector, where the issue of digital sovereignty will come to the fore – similar to what is already the case in countries such as Germany or France. Second, the education sector will benefit significantly, as the new law will effectively end the use of U.S. public clouds. This is a long overdue step, and one that is urgently needed in light of the recent attempt at a European-American data protection agreement. If, as expected, the new version of the agreement is also overturned by the courts, the industry must brace itself for continued legal uncertainty.
However, in addition to the many similarities with the GDPR, there are also some differences. One of the most serious is that fines can be imposed directly on the individual, rather than on the responsible company, as is the case with the GDPR. As a result, individual responsible parties will have to pay even more attention to data protection if they do not want to be taken to court for their own misconduct. In Germany, this will only be possible with the new IT Security Act, and only for critical infrastructure. Nevertheless, the similarities between the GDPR and the nDSG far outweigh the differences, which should be seen as a positive step in the direction of universal and strong data protection.