Is the data of your company protected by law?

It’s hard to believe, but it’s only been three years since former CIA employee Edward Snowden through wikileaks blew the lid off the secret that the US government had several surveillance programs up and running. Of course, many suspected that American authorities were accessing data without restriction or control mechanisms and with no regard for the integrity of individuals or companies. The documents Snowden provided proved beyond any doubt that this was in fact the case.

Since then it’s been clear that a lot of data has been (and is still) accessible to American agencies without prior knowledge or consent from the owner of said data. More worrisome is authorities in many other countries legally accessing personal data without you allowing or even knowing it.

Before Snowden, we knew that in the USA the 2001 Patriot Act and the 2008 Foreign Intelligence Surveillance Act (FISAA) gives agencies the power to carry out mass information gathering. And it’s legal. In the US, that is. Neither the Patriot Act nor the FISAA apply in Switzerland though.

Today in Europe, as well as in the USA, some countries have implemented laws that allow government agencies to access data without permission from a court or a prosecutor, or even notifying them. However, the European Union has decided to take another path and make sure their member states harmonize the laws on data integrity.

To do so the EU is creating the General Data Protection Regulation (GDPR). Basically, it’s a way to ensure the same rules for data integrity apply for a company, no matter which European country it conducts business in.

The regulation will apply if the company controlling or processing the data or the data subject (the one the data is about) is based in the EU. If a company stores information about you, the company controls this data but you are the data subject. Therefore you should have influence and knowledge about how this data is used, stored and shared. That’s the idea behind the GDPR.

From the GDPR stems a whole series of implications for the data controller (for instance a cloud service provider) storing your personal information like credit card number, address or something else. And failure to comply can render huge fines.

There are rules for informing the data subject if the data has been breached by illegal means and for if it’s been accessed legally:

The business responsible for the data may not share it without prior consent from the data subject. It must have a designated Data Protection Officer (DPO). Any employee who does not specifically work with the data but happen to access it, may be considered a breach and thus the data controller must inform the data subject within 72 hours.

Now the GDPR, as complicated as it might be, is probably a good thing and is definitely strengthening the data integrity for individuals. Company data is not protected in the GDPR, though.

If your company data is to be legally accessed in Switzerland, it has to be with your expressed consent

This is where Swiss law comes in. The Swiss Federal Act on Data Protection (FADP) is already on pretty much the same level of data security as the GDPR. And the FADP will be adjusted in August to make sure it’s on the exact same level. There is one major difference: the GDPR applies to actual persons only, while the FADP applies to both actual and legal persons (i.e. companies and organizations).

If your company data is to be legally accessed in Switzerland, it has to be with your expressed consent. In the EU, this is valid only for actual persons.

And with the Swiss political system being what it is, to a large extent ruled by the people directly through referendums on many issues, we can all rest assured that the long-honored tradition of personal integrity in Switzerland applies to your data and will do so for the foreseeable future. Your data is safe with us!