Data protection? It is certainly complicated. Politicians and stakeholders take on an issue that has a very technical background and where a strong technical expertise would ease many legal problems if it weren’t for the half-knowledge of the decision-makers; that makes it complicated. And in many cases, a new law requires a great deal of explanation when there is usually little room for clarity during the legislative process, but there is for unworldly compromises. The sovereignty of interpretation then rests either with the legislator, for example in the form of a regulation in Switzerland, or with the judge in the form of rulings, a path frequently taken in the EU. Data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... is therefore also and above all politics.
GDPR in force since 2018
The EU set a new standard in 2018 with the GDPR. It wanted to push ahead with a pronounced protection of personal data and clearly distinguish itself from authoritarian or very lax data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... regimes, such as those practiced in China or the USA. And at some point, Switzerland will come along and can only lose out to the large international regulations. It knows that it has to fit into the EU scheme in order to have any effect at all and to be accepted internationally. However, it wants to set its own accents, which may be well-intentioned, but which predominantly put obstacles in the way of internationally oriented companies and users of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... in Switzerland, because additional regulations have to be observed, which means the opposite of legal certainty. Data flows across borders, and data processing often does as well. A company will always choose to be “compliant” with the stricter regime, which in case of doubt means the GDPR.
The GDPR entered into force in May 2018, the new DPA in September 2023, but without transitional provisions, which no one needs, because many companies are already DPA-compliant, with the exception of those that exclusively serve the Swiss domestic market. With a few exceptions, the DPA (coverage 8.5 million inhabitants) goes less far than the GDPR (coverage more than 400 million) in terms of the level of protection. Because Switzerland as an economic area is substantially integrated into the EU, the question arises as to whether the new DPA makes sense. Does a small country need an independent data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... that does more than proclaim residual values of rebellious behavior? This article attempts to point out similarities and differences.
Specifically, it deals with three different laws or regulatory environments that play a role in communication and advertising activities in the EU and in Switzerland:
1. GDPR since 2018 vs. the new GDPR from September 2023:
The EU regulation is a directly applicable regulation and therefore equivalent to a law in Switzerland (the regulation in Switzerland is a second-tier legal act and interprets the law). The GDPR is essentially about the regulations in the handling of personal data. These are used organizationally and technically in connection with a Customer Management System CRM, i.e. the management of customer and contact data and possibly a Customer Data PlatformDie Customer Data Platform CDP hat seit der geringer werdenden Bedeutung von Third Party Data an Relevanz gewonnen. Die eigenen Daten sind ein wichtiger Differenzierungsfaktor gegenüber den Mitbewerbern geworden. Unternehmen sehen sich veranlasst, ihre... CDP, i.e. the collection and evaluation of precisely this structured data. As long as providers and advertisers are in the area of anonymous or pseudonymous data, the GDPR does not apply because this data cannot be assigned to a person.
Data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... regulates the use of personal data
Basically, according to this regulation, the use of personal data for advertising purposes requires explicit and voluntary consent and the user’s right to object at any time. And there is a prohibition on linking this consent to performance under a contract. The user must be told what his or her data will be used for. Profiling is the focus here, i.e., the ability or process for a “computer” to automatically create a personality profile. This allows segments of users and customers to be created based on their behavioral patterns, enabling the company to place or send more targeted and relevant advertisements; the concrete targeting via digital channels. The new DPA still does not require explicit consent for profiling (see the exceptional case of “high risk” profiling).
All that is required is a privacy statement DSE that states the purpose for which the user wishes to handle personal data (purpose limitation, e.g., personalized advertising for marketing purposes). However, this DSE must not contain arbitrary smut, but the purpose of use must be “proportionate” and not “unusual”, which is to be interpreted by courts in the future. The declaration must only be brought to the attention of the user in Switzerland on the company website or in active communication with the user such as email or on an app. The opt-out principle applies. In connection with GTC or with the completion of a form, the authorization is deemed to have been obtained if GTC or form are accepted as actual objects of acceptance. In the EU, the declaration for tracking and profiling must be explicitly requested.
This checkmark must be filed to the user or customer on a data platform, for the central overview of future use until revocation and for the information obligation to the authorized person. Information and disclosure obligations regarding the obtained “permission” and thus the lawful use of personal data are similarly strict in the new FADP as in the GDPR. A “confirmed opt-in” for the use of email addresses (i.e. single confirmation of a registration without double confirmation, see below) is difficult to prove.
What does an internationally active company in Switzerland do now with the GDPR?
It creates a DSGVO-compliant DSE incl. positive double opt-in and right of objection for personalized advertising and applies it to all users, especially since it cannot be perfectly clarified whether a particular user comes from Switzerland or the EU. The DPA is thus irrelevant in this respect.
Contract data processing, i.e. the transfer and processing of personal data to specific service providers, must also be regulated in a contract. For the involvement of subcontracted processors, which in some cases applies to service providers in the “near-” or “off-shoring” area, an authorization is now required. The Federal Council defines “unsafe” third countries. Similar to the EU, where the Privacy Shield agreement with the USA was overturned in the “Schrems II” ruling, the United States is not considered a safe third country in this context.
This is about the famous cookies, “first party” and “third party”, new devilish stuff from the digital age (😊), code snippets or text modules, which are placed in the user’s browser and enable the provider to track the user and use the information from them for its own advertising purposes; so far without explicit consent and only in the anonymized area, nota bene. These cookies are the technical basis for a targeting industry worth billions, since the advent of browsers, which are the access window to providers’ content. Powerful databases allow very detailed targeting for the purposes of programmatic advertising, thanks to accurate behavioral analysis.
2. ePrivacy Directive (2009) and its new edition vs. Telecommunications Act TCA Art. 45c lit. b in Switzerland (2006):
In recent years, these legal bases have given rise to the so-called cookie banners on websites, both in the EU and in Switzerland, which are basically annoying and are clicked away “at the top right” without reading the linked privacy policy, which would provide information about the use of cookies. It’s primarily about third party cookies, which can be embedded by third party providers on a company’s own website (tracking, Google, Facebook, web analytics, etc.). These are increasingly being blocked by browsers and will be completely eliminated in the next 1-2 years – as already announced by some providers. As a result, first party cookies will become more relevant, which are integrated by the provider itself in connection with the website and planned advertising measures. In detail, these are:
- Necessary cookies: These are required for a website and page navigation to function technically at all. They are necessary and are never subject to consent.
- Präferenz- oder funktionale Cookies: Hier geht es um Voreinstellungen wie z.B. Sprache oder die Region, in welcher ein Nutzer sich befindet.
- Statistical cookies: This is about page views, dwell time, visitor flow, SEO ranking; These are collected anonymously to basically improve the ecosystem of a website.
- Advertising or marketing cookies: These are the user cookies which are used anonymously to target the users based on the web visits for future advertising targeting.
The ePrivacy Directive in the EU has been facing a new edition for years and is wandering through the institutions (as of the end of 2022). The various interests bring new versions to the floor at regular intervals and regularly shoot them down with each new EU Council presidency, six months later. The game continues with an uncertain outcome. In terms of content, the issue would be the regulation and consent procedure on the various cookies.
Courts step into the breach to regulate on cookies what legislators have failed to do
The courts have therefore seen themselves empowered to provide more legal certainty in this impasse: in 2019, the ECJ, and then in 2020 the Federal Court of Justice BGH in Germany with preliminary clarification by the ECJ, decided that undifferentiated cookie banners are no longer legal. As a result, most companies have switched to offering detailed cookie overviews, which allow the user to select and allow individual cookie categories. However, providers are pursuing the hope that the user will continue to accept the prominent “Allow all cookies” button without much fuss. In fact, however, this has already led to a massive collapse in the approval of marketing cookies, the basis for the previously rather unbridled targeting of users across the Internet. And what is happening in Switzerland? Here, too, it is not the DPA that solves this issue, but Art. 45c lit.b of the Telecommunications Act. Based on the interpretation of this article, the general acceptance of the cookie banner will not change in the future; targeting will therefore remain easier in Switzerland than in the EU. No detailed cookie overviews are required.
3. Competition law in the EU vs. the Unfair Competition Act UWG Art. 3 para. 1, lit. o in Switzerland:
These laws specifically regulate consent for sending e-mails and newsletters with advertising content to a larger list of recipients. A court in Austria once arbitrarily designated this number as 70. Until the GDPR, opt-in requirements were regulated very differently within the EU. While Germany has known about the double opt-in for years, the other EU countries only followed suit with the revision of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... and – not by virtue of the letter of the law, but via the requirements of data minimization and the burden of proof to the user – have in fact made the double opt-in mandatory.
Double opt-in or confirmed opt-in
In Switzerland, the confirmed opt-in (i.e. without a second confirmation e-mail) is still sufficient. However, one may ask how a company can comply with the information or the duty of proof under the new DPA without a double opt-in. In fact, this is not possible. However, Art. 3 Para. 1 lit. o also states that mass advertising to customers is permissible without their consent but with reference to the possibility of refusal. This article and thus the permissibility of mass mailing to existing and verifiable customers without opt-in continues to apply.
Here is a tabular overview of the legal requirements regarding the use of personal data and cookie categories with the corresponding (revised) laws in the EU and Switzerland (incl. regulations for e-mail and call centers):
*Similar to the GDPR, it may be that the double opt-in is in fact self-evident from the information requirements for a company, because the proof cannot be provided with confirmed opt-in. **Does not result from the current directive, but from judge’s law in 2020; but will presumably be adopted in the new edition of the ePrivacy Directive. ***For business relationship, telemarketing is possible without opt-out; many mobile numbers are not listed in the telephone directory, which is equivalent to opt-out.
Trust Center and Customer Management Platform
Due to the changing requirements for cookie consent and for systematic compliance with opt-in criteria when sending e-mails, larger companies have started to set up a so-called “Trust Center” for external use or a “Customer Management Platform” for the purpose of internal data management for the users of their website and for all customers. Cookie categories are defined, the purpose of use explained, cookie providers listed. The user can accept individual cookie categories or still accept the entire cookies with a single click (“accept all”), which is still the main option in terms of intuitive user behavior and is chosen by many consumers without thinking twice. Technically, the data is stored on a Customer Data Platform, which allows the provider to link cookie permissions and email opt-ins across digital channels and shape profiling across all channels depending on the user’s choice. With the GDPR and the new DSG, this is highly advisable and a competitive advantage that should not be underestimated for personalized marketing in terms of marketing automationMarketing Automation ist ein Framework bestehende aus Strategie (First Party Data und Marketing), Use Cases und Prozessen, Daten bzw. Customer Data Platform, Technologien, Inhalten, Organisation und Skills sowie dem Rechtsrahmen bzw. dem Consent Management.....
Consent ManagementKundendaten sind wertlos, wenn die Berechtigung zur Nutzung dieser Daten zu Marketingzwecken nicht konsequent zum jeweiligen Kontakt abgelegt werden und dieser rechtliche Status nicht laufend gepflegt wird. Technisch bedeutet eine Einwilligung...
Those who systematically obtain all permissions from users and customers across as many digital channels as possible are not only “compliant” with the law, but will also be able to use the possibilities of a comprehensive database much better in the future than companies that do not pay the necessary attention to this topic. Good consent managementKundendaten sind wertlos, wenn die Berechtigung zur Nutzung dieser Daten zu Marketingzwecken nicht konsequent zum jeweiligen Kontakt abgelegt werden und dieser rechtliche Status nicht laufend gepflegt wird. Technisch bedeutet eine Einwilligung... pays off. As a reminder, the GDPR was originally planned against the big data giants (also known as GAFA: Google, Apple, Facebook, Amazon) from the USA in order to deprive them of the unbridled and uncontrolled handling of personal data. These have pulled out all the stops to respect data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... in the EU, because their business model consists of the intelligent and personalized handling of (free) consumer data. In contrast, many smaller companies are finding it difficult to comply with the sometimes unclear and costly to implement provisions of the GDPR.
4. Conclusion: What does a company that serves international markets do?
It strictly adheres to the GDPR, largely ignores the DPA in the above-mentioned requirements or has long since fulfilled it, because the GDPR is already in force and is stricter in most cases. A look at the sanctions confirms the importance of the GDPR, because there it is about fines in the amount of 10/20 million euros or up to 2/4% of the global annual turnover (GDPR Art. 83; depending on the violation). Switzerland does not have a fine for companies, but in the new DPA only personal sanctions or fines to the address of managers up to CHF 250,000. With the scope of sanctions from the GDPR, the risk assessment for the CEO in terms of compliance with data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... has become clearer in favor of compliance with the law. However, compliance is not only worthwhile for legal reasons, because potential reputational damage as a result of a serious breach of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising... may have an even more serious impact than a direct violation of the law. Or have we already become so dissolute in our handling of personal data that a shitstorm today will have no negative impact on the course of business tomorrow? Unfortunately, the public is even more sensitive to violations of moral standards that require greater protection, such as human rights or health, than it is to violations of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising....
Five years after the GDPR, the DSG is not a big hit
In any case, Switzerland has not made a big splash with the new DPA; certainly not with an independent law five years after the DPA came into force. While we can assure ourselves that we have not succumbed to the requirements of the GDPR in all cases and are going our own way. However, when it comes to implementation, this can only cause incomprehension among international companies. The focus should not be on resistance to the large community of states, but on uniform regulations, legal certainty and the basis for new business models, which arise from the opportunities of data protectionIt is not enough for companies to aggregate your users' data. They must also obtain permission to use this data at the same time. They must obtain an overview of whether and for what purpose they may actively use this personal data or use it for advertising.... We have long since forfeited this potential competitive advantage from strict regulation. Nevertheless, companies should invest in the long term in building up a comprehensive data environment, an invaluable asset. This takes a lot of time and money. Comply with the GDPR and other regulations in the EU, and good riddance; the new GDPR is essentially an unnecessary side note from an international perspective.