The revised Swiss Data Protection Act and international organisations

Although not new, this amendment will provide some welcome clarification.

First, the more classic and formal international organisations, such as the United Nations (“UN”) and UN agencies – whose privileges and immunities arise not only from host state agreements but also from treaties to which Switzerland is a party – have never been subject to the FADP, by virtue of such immunities. The Federal Council has confirmed that the current Act does not apply to international organisations given that these, as subjects of public international law, cannot be submitted to national law.

Second, while the term “international organisation” is not specifically defined under Swiss law, it generally includes (in addition to the classic international organisations mentioned above), entities that are not strictly intergovernmental, but that Switzerland recognises as having international legal personality. The extent of the immunities and privileges enjoyed by such institutions will generally depend on their host state agreement and – given the wording of many such agreements – it is doubtful that many of these institutions were ever subject to the FADP.

The current FADP created ambiguity in this respect, since Art. 2(2)(e) FADP only provides an exclusion for “the process of personal data by the International Committee of the Red Cross”. The Federal Council states that this specific mention of the International Committee of the Red Cross (“ICRC”) sought to clarify that the ICRC was not subject to the FADP. Such a specific reference was deemed necessary because the ICRC, despite having a recognised international legal personality, was formally an association incorporated under Swiss law – but it is by no means the only organisation in Switzerland with this particular set-up.

By singling out the ICRC, the present FADP could cause confusion. The new language clarifies the situation for these other types of institutions; the revised act maintains the current situation regarding the ICRC and, through Art. 2(2)(e) FADP, dispels any ambiguity surrounding the status of other institutions that enjoy a host state agreement with Switzerland. Although not a substantial change, this is a welcome clarification.

While international organisations are excluded from the scope of the FADP, to operate and interact effectively with Swiss private and public actors, international organisations in Switzerland have an interest in maintaining adequate personal data protection standards in particular is they want to receive data.

Under both Swiss law and the European General Data Protection Regulation (“GDPR”), personal data may, in principle, not be transmitted abroad – be it to another country or to an international organisation, if the privacy of the data subjects would be seriously endangered by doing so (in particular, due to the absence of legislation that guarantees adequate protection).

The Federal Data Protection and Information Commissioner (“FDPIC”) maintains a publicly-available list of countries, documenting the adequacy of data protection legislation, including consideration as to whether a country has adhered to the so-called Convention 108 (Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data), which is the sole multilateral treaty at international level for the protection of personal data. Convention 108 was modernised in May 2018 through an Amending Protocol (Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data). The Amending Protocol will enter into force upon the ratification of 38 parties, 27 having ratified it as of 15 August 2023. Once in force, both international organisations and States will become eligible to join the Protocol. As a result, an international organisation adhering to Convention 108 will be deemed to have regulations that guarantee adequate protection – thus allowing free flow of personal data from third parties.

Whether or not an international organisation formally becomes a party to Convention 108, it may wish to comply with the principles set out in said Convention in order to ensure appropriate levels of protection for personal data, if only to guarantee the flow of personal data from Swiss private and public actors that it requires to function. This would entail among others the international organisation adopting measures to comply with the principles of transparency, proportionality, security and data minimization, the obligation to declare data breaches as well as the obligation to provide individuals with an extended right of access to their personal data and its use.

For further questions or comments about this topic, please contact the authors.