New privacy laws in Switzerland and India

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
August 31, 2023

Countries around the world are introducing data protection laws - from Switzerland to India - making it more challenging to stay on top of all privacy requirements, especially if you're operating on a global scale.

In this newsletter, we’re giving you a short overview of some of these new laws.

India‘s new privacy act

On 11th August, India introduced their privacy law - the Digital Personal Data Protection Act (the “Act”).

The Act's effective date is still pending, but it’s expected to provide clarity to people on how companies can use their data.

Who will it apply to, what’s the core and what are the reactions?

The Act's scope is limited to digital personal data. This means personal data collected in digital form or collected offline and later digitized.

The Act introduces definitions such as “data fiduciary” (instead of the GDPR’s “data controller”) and “data principal” (instead of a “data subject").

The main ground for processing personal data under the Act is consent. “Legitimate interests,” as it’s understood under the GDPR, is not part of the Act. The language defining consent is, however, identical to the GDPR.

The Act has already been criticized. First, the Act largely does not apply to foreign personal data processed in India. So it won't help assure the world that it’s now safe to send personal data to India. And second, the Act contains a number of exemptions for the Government without setting any standards, such as proportionality. So there are concerns that this Act can lead to surveillance and violate citizens’ right to privacy.

Switzerland’s revised privacy law - FADP

Closer to us (if you’re in Europe) - the revised Swiss data privacy law (Federal Act on Data Protection - “FADP”) is coming into effect 1st September.

The revised FADP is closely aligned to the GDPR. Like the GDPR, companies targeting goods or services to Swiss people or monitoring their behavior will now have to comply with FADP requirements.

Companies storing personal data on servers located in Switzerland will be caught by the new Swiss privacy law.

So Switzerland is introducing new, more stringent obligations on non-Swiss companies doing business in Switzerland.

Important note; You need to appoint a Swiss representative if

  • you’re selling goods or services to Swiss people or monitoring their behavior, or
  • if the data processing is extensive and regular and involves an increased risk to the personality of the persons concerned.

The law also focuses on data subject rights, as well as new requirements around data breach reporting.

When it comes to fines, intentional violations of the FADP may even result in criminal liability of a responsible person (such as C-level executive) with fines of up to CHF 250,000 (approx EUR 262,000).

What do these new laws mean for you?

You should find out if your company:  

  • processes personal data within these countries,
  • offers goods or services to people in these countries, or
  • uses vendors that are based in these countries?

To answer those questions, it’s important to map your data flows and stay on top of your vendor list.

The GDPR is still one of the most comprehensive data protection laws in the world and provides an overarching framework for the processing of personal data.

So the good news is that if your data processing activities are already GDPR-compliant it will most likely require few to no adjustments to comply with the new global laws. However, to fully assess the impact of the new privacy laws to your business, we recommend that you seek legal advice.