Switzerland: Data Protection in the Automotive Sector
Currently, no specific data protection legislation or regulation is in place for the automotive sector and very little administrative guidance has been issued. Therefore, general rules and concepts apply.
1. Governing Texts
1.1. Key acts, regulations, directives, bills
Despite the lack of specific data protection or cybersecurity legislation for the automotive sector, general data protection and cybersecurity rules apply. The right to informational self-determination is enshrined in Article 13(2) of the Federal Constitution of the Swiss Confederation ('the Constitution'). Accordingly, every person has the right to control all their personal data. At the legislative level, the Federal Act on Data Protection 1992 ('FADP') is applicable, and is complemented by the Ordinance on the Federal Act on Data Protection ('the Ordinance'). The FADP has undergone a complete revision (only available in German here, French here, and Italian here) and is expected to enter into force in September 2023 as the revised FADP ('revFADP').
Cybersecurity requirements with regard to personal data are of a general nature. According to Article 7 of the FADP (Articles 7 and 8 of the revFADP), controllers and processors shall protect all personal data from unauthorised access by implementing adequate technical and organisational measures ('TOMs'). These TOMs must comply with the technical state of the art and need to be appropriate with regard to the nature of the processing and the risk that it entails for the rights of the persons concerned. Article 8(1) of the Ordinance lists measures to protect personal data against accidental loss, unauthorised or accidental destruction, technical faults, theft, forgery or unlawful use, unauthorised alteration, copying, access, and/or other unauthorised processing. A higher level of detail only exists for operators of critical infrastructure, as well as for public bodies and authorities (see in particular the Information Security Act of 18 December 2020 (only available in German here, in French here, and in Italian here) ('ISA') and the Ordinance on the Protection against Cyber Risks in the Federal Administration ('CyRV')).
1.2. Regulatory authority guidance
The Swiss National Cyber Security Centre ('NCSC') acts as central reporting point for cyber attacks and security incidents and can issue cybersecurity guidance. Digitalisation in the mobility sector is subject to an action plan called Digital Strategy Switzerland ('the Strategy') which has been elaborated under the leadership of the Federal Chancellery. The Strategy lays out Switzerland's future data policy which comprises, for example, the establishment of a national data infrastructure and the creation of an overarching traffic management system. The Strategy also addresses cybersecurity and data security considerations and sets out objectives for further digitalisation of the mobility sector. However, regarding data protection and cybersecurity in the automotive sector, no binding guidance has been derived from the Strategy yet.
Despite the fact that Switzerland is not part of the EU, authorities of the EU and of EU Member States play an important role in setting out guidance for the sector. Switzerland is surrounded by EU Member States and maintains close business relationships with all neighbouring countries. Therefore, Swiss data protection and cybersecurity standards are oriented towards EU standards. In order to create an adequate level of data protection and ensure that cross-border data transfers between the EU and Switzerland remain possible without further hurdles, the revFADP is oriented towards the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and contains similar requirements. The same is true regarding court decisions, soft law, or other guidelines; even though not binding in Switzerland, EU developments are taken into account in practice and therefore may have an effect on the application of Swiss privacy laws.
International standards are also important for cybersecurity in Switzerland. The technical state of the art (see in particular Articles 7 and 8 of the revFADP) refers to all recognised rules of technology in the relevant field. This may comprise the International Organization for Standardization norms, as well as recognised standards of other countries, such as the basic protection rules by the German Federal Office for Information Security.
2. Key Definitions
According to general definitions, personal data means 'all information relating to an identified or identifiable person' (Article 3(a) of the FADP/Article 5(a) of the revFADP) whereas processing means 'any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data' (Article 3(e) of the FADP/Article 5(d) of the revFADP).
Vehicle Information Number: Vehicle Information Number ('VIN') (sole or in combination with further identifiers) is not subject to specific legislation or guidance. According to Article 4(1) of the GDPR, as soon as data allows the drawing of conclusions as to a current or previous owner or use, it qualifies as personal data.
Geolocation data: Geolocation data that refers to an identified or identifiable person qualifies as personal data. Where such data is processed automatically for the purpose of evaluating certain personal aspects of the data subject, for example to analyse or predict preferences, interests, behaviour, location, or change of location, such processing may qualify as profiling (Article 5(f) of the revFADP). Where it allows an assessment of essential aspects of the personality of a natural person, it may qualify as high-risk profiling (Article 5(g) of the revFADP). Such qualification must be taken into account when assessing the proportionality of the processing.
Telematic data: Technical data that is generated in the vehicle, but not linked to an identified or identifiable person does not necessarily qualify as personal data. In particular, data showing the status of the system and environment to trigger appropriate vehicle functions, to assist with servicing and diagnosis, is principally not personal data.
Biometric data: Biometric data regarding an identifiable person, for example a fingerprint or facial recognition data, is immutable and inseparably linked to the person. Therefore, such data qualifies as sensitive personal data within the meaning of Article 5(c)(4) of the revFADP. The more sensitive a processing operation is in terms of violating the privacy of data subjects, the more precautions need to be taken. For this reason, special care must be taken when processing biometric data to ensure that there is no violation of personal data. This may also include stricter cybersecurity requirements.
Metadata: The same principles as with telematics apply with regard to metadata.
Voice data: No legal definition for 'voice data' exists under Swiss law. Where a person is identified through voice data, this data qualifies as personal data and general data protection principles apply.
Video data (inside/outside the vehicle): No legal definition of 'video data (inside/outside the vehicle) exists under Swiss law, however, as video data typically allows the identification of natural persons, data protection laws need to be respected. As regards video data collected by dashcams, the Federal Data Protection and Information Commissioner ('FDPIC') issued relevant guidelines in 2019. Dashcams must follow the principle of Privacy by Design, in order to reduce the intrusion to the personal rights of filmed persons. In particular, general filming of uninvolved, correctly behaving third parties must be avoided. In addition, recordings should only be stored in encrypted form and continuously deleted or overwritten if they are not specifically read out for evaluation. In criminal court proceedings, private dashcam videos may be used as evidence only in cases of serious offences. According to the Swiss Supreme Court in Judgment 6B_118/2018 of 26 September 2019 (only available in German here), simple or even gross violations of traffic rules principally do not count as serious offences within this context.
Anonymisation: Anonymisation means that the personal characteristics of personal data are removed so it is no longer possible for anyone to establish a personal reference from the data. If personal data is anonymised in such way and cannot be re-identified again, data protection laws do not apply anymore.
Pseudonymisation: Pseudonymised data is not defined in the FADP or revFADP. It is considered by legal practice to constitute personal data within the meaning of the FADP for persons who know the attribution rule or the key (or who otherwise succeed in uncovering the pseudonyms). Thus, it depends on the technical implementation whether, and to what extent, the personal reference of data can be excluded and whether data protection laws apply.
Data processing: According to Article (3)(e) of the FADP (Article 5(d) of the revFADP), processing means 'any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data'.
Data controller: Article 3(i) of the FADP defines 'controller of the data file' as 'private persons or federal bodies that decide on the purpose and content of a data file'. Article 5(j) of the revFADP amends the language and now defines the 'controller' in similar terms to the GDPR.
Data processor: Under the current FADP, processor is not a defined term, but will be introduced into the revFADP. According to Article 5(k) of the revFADP, processor is any 'private person or federal body that processes personal data on behalf of the data controller'. The concept is similar to the concept of the processor under the GDPR, with only linguistic differences in the German version.
Manufacturer: From a data protection or cybersecurity perspective, the manufacturer is not subject to specific regulation. As the case may be, a manufacturer can qualify as controller and/or processor of personal data. With regard to liability for defective products, general provisions such as the Federal Law on Product Liability (only available in German here, in French here, and in Italian here) apply.
3. Supervisory Authority
The FDPIC is the authority responsible for overseeing data protection compliance of public and private bodies. Regulatory cybersecurity oversight by the FDPIC only exists on a case-by-case basis and with regard to personal data. Other than that, oversight and enforcement of data security is largely left to self-control by the concerned organisations and, eventually, civil courts.
The Federal Roads Office ('FEDRO') is Switzerland's central authority for road infrastructure and private road transport, which also includes defining the basis for efficient traffic. Therefore, the FEDRO may be more involved in future infrastructure for connected vehicles and in overseeing compliance regarding such infrastructure.
4. Connected Vehicles
Under the current FADP, information obligations are very limited and do not generally oblige the controller to implement a privacy notice. However, under the revFADP, the controller must, inter alia, inform the data subject about the collection of personal data and the purpose of its processing (Article 19 of the revFADP). It is not necessary that data subjects actually take notice of the information, but the information needs to be presented in a form that is easily accessible. One way to reduce potential information barriers is to use privacy icons. They are not mandatory, but are more and more widespread among Swiss companies.
There are no recommendations or guidelines in place for a user concept in connected cars yet. However, if personal data of the driver and/or passengers is processed, a user concept may be recommended.
Choice and consent
In the private sector, consent is generally not necessary for the processing of personal data, as long as general data processing principles are respected (Article 4 of the FADP/Article 6 of the revFADP). In particular, processing must be lawful, fair, and proportionate, personal data may only be collected for a specific purpose which is apparent to the data subject, and personal data may only be processed in a manner compatible with that purpose. As soon as personal data is no longer required, it must be deleted or anonymised.
Consent or another justification is required if either of these processing principles are not complied with, if the data subject has objected to the processing (Article 12(2)(b) of the FADP/Article 30(2)(b) of the revFADP), or if sensitive personal data is to be disclosed to a third party (Article 12(2)(c) of the FADP/Article 30(2)(c) of the revFADP).
Where consent of the data subject is required, such consent is only valid if it is given voluntarily on the provision of adequate information (Article 4(5) of the FADP/Article 6(6) of the revFADP). Where particularly sensitive personal data is processed or the processing qualifies as profiling, consent must also be given expressly (Article 4(5) of the FADP/Article 6(7) of the FADP). This means that in such cases, implied consent is invalid.
The fact that data security obligations are rarely codified as mentionaed above, means that soft law and international developments regarding data security must be constantly monitored. The requirement to implement data security measures according to the technical state of the art means that data security must be understood as a permanent obligation.
There is a danger that excessive data will be collected by the numerous sensors in vehicles. As technology advances, it is possible that such data may be used in the future for purposes other than the original purpose. The principles of transparency and data minimisation prohibit such excessive processing and must be taken into account when developing new functions or services.
Accountability and record of processing
The person responsible for the processing must assess the risks and must implement appropriate measures to mitigate these risks. Typically, this is the person who determines the purpose and means of the processing, i.e. the controller. In the context of mobility services, which are typically characterised by many participants working together in complex structures, determining the controller may not always be straightforward. For example, a governmental agency may act as a platform provider, a corresponding mobility app may be designed by a developer and offered by an operator, and a separate service provider may offer underlying services. In the use case of automated and connected vehicles, either a service provider and/or the vehicle manufacturer may be a controller. In such cases, a thorough assessment of the roles of each party must be carried out.
According to Article 12 of the revDSG, private controllers and processors must keep a register of their processing activities, unless they are companies that employ fewer than 250 people and whose data processing involves a low risk of personal right violations. A controller's data processing directory shall contain at least the identity of the controller, the purpose of the processing, a description of the categories of data subjects and the categories of personal data, the categories of recipients, if possible, the retention period of the personal data or the criteria for determining this period, if possible, a general description of the measures taken to ensure data security, and, if the data is disclosed abroad, an indication of the country and contractual or similar safeguards. This means that in practice, significant actors in the automotive sector will have to establish and maintain such a data processing directory.
Data sharing and international transfers
Data sharing is subject to general data processing principles, in particular the principle of proportionality. In addition, for international transfers of personal data, the FADP/revFADP provide requirements that are similar to the transfer regime under the GDPR: personal data may be disclosed without further ado to countries that provide for an adequate level of data protection. Currently, the FDPIC maintains a list of these countries. Under the revFADP, it will be for the Federal Council to establish and maintain such list.
For other countries, the necessary level of protection can, among others things, be ensured by contractual safeguards. The Standard Contractual Clauses ('SCCs') of the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (7 June 2021) are recognised by the FDPIC and may be used for data transfers from Switzerland, provided that the necessary adaptations and amendments as suggested by a paper authored by FDPIC are made.
Data governance is not addressed on a legislative level. Therefore, industry best practices are the benchmark for data governance concepts.
Article 28 of the revFADP newly introduces the right to data portability. If the controller processes the data automatically and based on the consent of the data subject or in direct connection with the conclusion or performance of a contract between the parties, data subjects may request the controller to provide them with their personal data in a commonly used electronic format. The data subject may also ask the controller to transfer their personal data to another controller if this does not require a disproportionate effort. The practical implications of this right are still unclear; in case of doubt, it is to be understood as similar to the right to data portability according to Article 20 of the GDPR.
Privacy/Security by Design and by Default
The obligation for controllers to take appropriate measures in due time in order to ensure data protection compliance already follows from the general principles of the current FADP. Article 7 of the revFADP now explicitly lists this responsibility.
Where sensitive data is processed, such as biometric data to open or drive the car (e.g. fingerprints and facial recognition), the user should be given the option to deactivate services or functions that require access to sensitive data, where possible. However, no specific concept or guidelines are in place for the automotive sector.
There is no data ownership under Swiss privacy laws which has been confirmed during the last revision of the FADP. Instead, data protection laws are centred around data subjects' rights. Databases containing non-personal data (e.g. vehicle data) are not generally protected by copyright law, but may fall under business secret rules. In practice, rights relating to such assets are assigned on a contractual level.
5. Autonomous Driving
Switzerland is a member of the United Nations Economic Commission for Europe ('UNECE'). Therefore, resolutions and developments at the UNECE level are principally followed by the Swiss legislator. It can be expected that, once the international legal framework has been developed and Swiss law has been amended, driverless, fully automated vehicles may be licensed in Switzerland. Currently, without specific legislation for autonomous driving, the principles above apply.
Depending on the details of telematic services, manufacturers, and/or providers of telematic services may qualify as telecommunications providers or as providers of derived communications services. In this case, the Telecommunications Act (TCA) of 30 April 1997, as amended ('TCA') and/or the Swiss Federal Act on the Surveillance of Post and Telecommunications (only available in German here, in French here, and in Italian here) ('SPTA') may apply. The SPTA governs information requests and real-time and retroactive monitoring of postal and telecommunications traffic. Addressees of these laws are obliged to make certain data accessible for reasons of precaution, and/or to allow access by law enforcement agencies.
Traffic data may involve information on traffic violations or on the course of an accident. Such data, to the extent that it is relevant under criminal law, may be considered sensitive personal data according to Article 3(c)(4) of the FADP/Article 5(c)(5) of the revFADP, as the potential for stigmatisation is high. It is therefore subject to stricter standards when assessing the proportionality of its processing.
7. Vehicle Geolocation
Geolocation data has the potential to cause serious violations of personal rights. Where geolocation data is processed automatically, it may also qualify as profiling (see 'Key Definitions' above). Therefore, the principles of transparency and data minimisation are particularly important in practice. Where geolocation data is processed in company fleet cars, it is important to consider that employers should not have unrestricted access to such data, to avoid carrying out unauthorised monitoring of the employee.
See 'Transparency' above.
Manufacturers have to respect the principles of Privacy by Design and Privacy by Default. This applies in particular with regard to sensitive personal data, such as fingerprints, facial recognition, or other biometric data. This kind of data requires a higher standard for the proportionality of the processing and for information transparency. Besides, stronger protective measures must come into play, such as encryption, data access restriction, rapid pseudonymisation, and anonymisation.
The type approval procedures for vehicle systems, components, and equipment are governed by the Ordinance on the Type Approval of Road Vehicles (only available in German here and in French here) ('OTA') (see Article 1(1) of the OTA) and the Ordinance on the Technical Requirements for Road Vehicles (only available in German here, in French here, and in Italian here) ('OTR'). According to Article 3a(1) of the OTR, EU directives, EU regulations, as well as UNECE regulations also apply in Switzerland. In particular, Annex 2 of the OTR declares EU Regulation 2018/858 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, as well as various UNECE regulations as being applicable in Switzerland. Therefore, it is not expected that Switzerland establishes separate standards for manufacturing in the automotive sector.
Internet connectivity and eSIM management
Depending on the details of the respective services, where internet connectivity or eSIM management is provided, Swiss telecommunication laws, such as the TCA or SPTA, as well as its implementing ordinances, such as the Ordinance on Telecommunications Services (only available in German here) ('OTS') may apply (see above).
When they apply, this may lead to additional obligations, such as the protection of telecommunications secrecy. Besides, in order to increase cybersecurity, telecommunications service providers are obliged to prohibit unauthorised manipulations of telecommunications equipment. To that end, the Federal Council may issue regulations on cybersecurity and information security of telecommunications infrastructures and services. According to Article 96(1) of the OTS, telecommunications service providers must immediately inform the Federal Office of Communications of faults in the operation of their networks that affect a significant number of customers.
Car-to-Car and Car-to-X communication
The Swiss legislator recently proposed the creation of a federal mobility data infrastructure. The purpose of this infrastructure is to support and manage information flow of mobility data between stakeholders, including private mobility service providers. A first draft for the creation of such infrastructure was published on 2 February 2022 (only available in German here) and was subject of a public consultation procedure that ended on 3 May 2022. Typically, the public consultation procedure leads to changes of draft bills. It is therefore recommended to closely monitor the further development of this legislative project, as it may have an impact on car-to-car and car-to-X communication.