So now we know what’s coming with the new data protection law. Not much has changed since the draft was commented on here. Many discussions took place on the political “sham level”, i.e. in areas which actually have no significance in practice. I still believe that this law is a bureaucratic monster of the first order and does a disservice to data protection. Furthermore, the law in this form is not DSGVO-compliant, this has nothing to do with the recognition by the EU (because that is decided in horse-trading mode), but nevertheless it should make you think about what went on here.

One of the most important points was not even mentioned in the debate, or was simply ignored: The distribution of the burden of proof: The reversal of the burden of proof to the detriment of the responsible party was definitely NOT introduced. This is in contrast to Art. 82 GDPR, according to which the controller must prove in the event of damage that it has “is not responsible in any respect for the circumstance by which the damage occurred.” In my opinion, this is also too broad a formulation, because it is not usually the case that the person responsible can fulfill all due diligence obligations one hundred percent. However, Switzerland has completely waived the burden of proof for the responsible party (from the message):

The Federal Council has dispensed with a reversal of the burden of proof based on the example of Article 13a of the Federal Act of December 19, 1986 on Unfair Competition (UCA)43 , according to which the court could require data processors to provide evidence of data protection-compliant processing in individual cases if this appears appropriate, taking into account the legitimate interests of the parties involved in the proceedings. Civil courts are already able to deal with evidentiary problems within the framework of the free assessment of evidence and the parties’ obligations to cooperate. Furthermore, the consultation on the FIDLEG has shown that proposals to shift the burden of proof meet with strong resistance.

Imagine: The affected party (who has already suffered damage) must now prove that the responsible party did not fulfill its duty of care, e.g. by insufficiently protecting its data so that it could be copied by hackers or other attackers. Or even more difficult: the integrity protection was insufficient, which is why data was manipulated. This is a complete illusion in the complex data processing world of 2020. The courts will be massively overburdened when it comes to evaluating such due diligence assessments. What happens in practice? In case of doubt, the court will have to commission an expert opinion, which usually has to be prefinanced by the plaintiff (the affected party). This is denial of justice in the most unattractive style, because such an expert opinion will immediately run into five figures.

Thus, the law is no longer even a tame tiger, but rather a decrepit house cat. Without shifting the burden of proof and in combination with the weak threats of fines, this law is useless. Or as David Rosenthal put it (David Rosenthal, Das neue Datenschutzgesetz, in: Jusletter November 16, 2020):

[192] In two respects, however, Switzerland is clearly behind the GDPR: In Switzerland, only the intentional violation of the DPA is punished, and the catalog of offenses is incomparably smaller than that of the GDPR. While almost every violation of the GDPR is subject to a fine, this only applies to a few provisions in the revised DPA. The violation of the processing principles is in itself no more punishable than the violation of most of the accompanying measures.

The protection of the data subject has thus been softened that only someone benefits from it: The data protection commissioner in Bern can look forward to an armada of new civil servants.