As much as the GDPR is the 800-pound gorilla in European data privacy regulations, there are countries that are currently outside of its direct reach. Find out about them here.
Current non-EU countries include: Albania, Belarus, Bosnia and Herzegovina, Kosovo, Liechtenstein, Macedonia, Moldova, Norway, Russia, Serbia, Switzerland, and Ukraine. (As mentioned in the EU post, although the United Kingdom has departed the union, its data protection rules are essentially identical to the GDPR.)
Of note, Norway, Iceland, and Liechtenstein are in the European Economic Area (EEA) allowing them to be part of the EU’s single market, while Switzerland, although not a member of the EEA, is also part of the single market. The EEA member countries are bound by the GDPR.
The two most significant European economies that are not covered by the GDPR are Russia and Switzerland, so we will consider them in this post.
The Russian Federal Law on Personal Data (No. 152-FZ) was enacted in 2006, and it has become the foundational piece of privacy legislation for the country. It has since been amended in 2014 (in force since 2015) to require that any Russian citizens’ personally identifiable information must (first) be processed in facilities physically located in Russian Federation territory.
The Russian Data Protection Authority (“Roskomnadzor”) has issued specific guidance since then to clarify a few key points, especially relating to post-processing activities.
The stated goal of the law was to ensure the protection of freedom and human rights of Russian citizens in the course of data processing of their personally identifiable information, including the establishment of protections for Russian citizens’ privacy rights.
Intent and Major Provisions
Under the Russian Federal Law on Personal Data, a Russian citizen is ensured of the following rights. (The translated text below has been edited, condensed as appropriate, and formatted for clarity):
Article 14. The Right of the Personal Data Subject to Access to His Personal Data
- The personal data subject has the right to obtain information about the operator, its location, availability with the operator of personal data pertaining to the respective personal data subject also to get familiarized with such personal data except for the cases provided for by part 5 of this article.
- The personal data subject is entitled to demand that the operator should keep his personal data current, block or destroy them if the personal data are incomplete, outdated, unlawfully obtained or not necessary for the stated purpose of processing (and) take measures provided for by the law in order to protect his rights.
- Information about availability of personal data should be provided to the personal data subject in an understandable form and it should not contain personal data pertaining to other personal data subjects.
- Access to one’s personal data is granted to the personal data subject or his legitimate representative by the operator in case of communication or enquiry received from the personal data subject or his legitimate representative….
- The personal data subject has the right to receive, in case of communication or enquiry received, the information concerning processing of his personal data containing, inter alia:
- a confirmation of the fact of personal data processing by the operator as well as the purpose of such processing;
- the methods of personal data processing applied by the operator;
- information about the persons who have access to the personal data or whom such access may be given to;
- the list of processed personal data and the source they were obtained from;
- the time limits of personal data processing including the time limits of their storage;
- information about the legal consequences the processing of personal data may entail to their subject.
The exclusions applicable to these rights include:
The personal data subject’s rights to access to his personal data are restricted in case:
- processing of personal data including the personal data obtained through special investigative techniques, counterintelligence and intelligence operations is performed for the purposes of defense of the country, security of the state and law enforcement;
- processing of personal data is performed by the agencies that detained the personal data subject on suspicion of offense or that brought a charge of crime against the personal data subject or that applied a measure of restraint to the personal data subject before a charge is brought, except for the cases provided for by the Russian Federation criminal procedure legislation if it is allowed for the suspect or indictee to get familiarized with such personal data;
- provision of personal data infringes the constitutional rights and freedoms of other persons.
Under the Russian Federal Law on Personal Data, PII is defined as:
any information pertaining to a particular or identifiable, on the basis of such information, natural individual (the personal data subject), including his surname, first name, patronymic, year, month, date and place of birth, address, marital, social, property status, education, profession, income, other information.
Ending with “other information” is not a misprint! That is exactly what is contained in the language, which as you can see is rather vague. This can present a real problem since it means the Roskomnadzor (the Russian Data Protection Authority) can wake up one morning and decide that a whole other list of attributes qualify for “personal data,” making compliance a bit tricky.
Article 1 of the Russian Federal Law on Personal Data reads:
This Federal Law regulates the relations connected with personal data processing carried out by federal state authorities, state authorities of Russian Federation constituents, other state bodies (hereinafter–state bodies), municipal bodies that are not part of local authorities (hereinafter–municipal bodies), legal entities, natural individuals with the help of automation aids or without them if personal data processing without such aids corresponds to the nature of actions (operations) done with personal data with the help of automation aids.
Essentially, any company that processes Russian citizen data is affected by this law. Additionally, if your company sports a Russian domain name, accepts payments in Russian Rubles, delivers goods or services in the Russian Federation territories, or something as simple as having a Russian version of the website or, even, displaying Russian language advertisements, then you must comply with this law.
Similarly, Article 1 of the Russian Federal Law on Personal Data continues:
This Federal Law does not cover the relations arising during:
- personal data processing by natural individuals solely for personal and family needs if this does not infringe the rights of personal data subjects;
- organization of storage, integration, accounting and use of the documents of the Archive Holding of the Russian Federation and other archive documents containing personal data, in accordance with the Russian Federation archiving legislation;
- processing of data about natural persons subject to inclusion into the united state registry of individual entrepreneurs if such processing is performed in accordance with the Russian Federation legislation in connection with the natural individual’s activities as an individual entrepreneur;
- processing of personal data classified as data constituting state secret following the statutory procedures.
The enforcement agency is the Russian Data Protection Authority (“Roskomnadzor”).
The Russian Data Protection Authority can take a variety of actions (such as shutting down your site, blocking your domain altogether, and so on). The Roskomnadzor has recommended legislation, which is currently moving through the Russian legislative process, that calls for fines of up to six million rubles (about $280K U.S.) for the most egregious repeat offenders, plus a whole menu of fines covering different levels of violations ranging from $15K to $94K U.S. This legislation has not been finalized as of this writing, but you should expect the fines to be steep and their enforcement pursued vigorously.
Here is the complete text for the Russian Federal Law on Personal Data (in English).
Global. Anyone doing business in or with Russia is affected.
Switzerland has a long history with privacy going back well over a century, and it’s a topic taken very seriously. Swiss laws are very strict when it comes to individual privacy, and through the nation’s neutrality stance, Switzerland requires that all international information-sharing requests comply with local Swiss law, setting the bar very high. As an example, the Federal Supreme Court of Switzerland declared that Internet Protocol (IP) addresses are considered personally identifiable information and therefore subject to all pertinent privacy and disclosure laws.
The right to privacy is enshrined in the Swiss Constitution. Article 13 is clear:
Article 13. Right to privacy
- Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications.
- Every person has the right to be protected against the misuse of their personal data.
In 1992, The Federal Assembly of the Swiss Confederation passed the Federal Act on Data Protection (FADP, or DPA). In 1993, they passed the Ordinance to the Federal Act on Data Protection (DPO), followed by the Ordinance on Data Protection Certification (DPCO) in 2007. Taken together, the act plus the ordinances set the tone for data privacy protection in Switzerland.
These laws are an extension of the Swiss privacy culture as it applies to personally identifiable information data processing. For that matter, the stated aim in Article 1 of the DPA is the protection of privacy and the fundamental rights of persons when their data is processed.
Intent and Major Provisions
The salient points of the DPA (as amended and in place from 2019) include:
Article 4. Principles
- Personal data may only be processed lawfully.
- Its processing must be carried out in good faith and must be proportionate.
- Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.
- The collection of personal data and in particular the purpose of its processing must be evident to the data subject.
- If the consent of the data subject is required for the processing of personal data, such consent is valid only if given voluntarily on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles.
Article 5. Correctness of the data
- Anyone who processes personal data must make certain that it is correct. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed.
- Any data subject may request that incorrect data be corrected.
Article 6. Cross-border disclosure
Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.
According to the DPA, Swiss citizens have the following rights with regards to their PII:
Article 8. Right to information
- Any person may request information from the controller of a data file as to whether data concerning them is being processed.
- The controller of a data file must notify the data subject:
- of all available data concerning the subject in the data file, including the available information on the source of the data;
- the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
- The controller of a data file may arrange for data on the health of the data subject to be communicated by a doctor designated by the subject.
- If the controller of a data file has personal data processed by a third party, the controller remains under an obligation to provide information. The third party is under an obligation to provide information if he does not disclose the identity of the controller or if the controller is not domiciled in Switzerland.
- The information must normally be provided in writing, in the form of a printout or a photocopy, and is free of charge. The Federal Council regulates exceptions.
- No one may waive the right to information in advance.
Under the Swiss Federal Act on Data Protection, PII is defined as:
Article 3. Definitions
- personal data (data): all information relating to an identified or identifiable person;
- data subjects: natural or legal persons whose data is processed;
- sensitive personal data: data on:
- religious, ideological, political or trade union-related views or activities,
- health, the intimate sphere or the racial origin,
- social security measures,
- administrative or criminal proceedings and sanctions
As per Article 2 of Swiss Federal Act on Data Protection:
Article 2. Scope
This Act applies to the processing of data pertaining to natural persons and legal persons by:
- private persons;
- federal bodies
Similarly, Article 2 of Swiss Federal Act on Data Protection excludes the following:
- personal data that is processed by a natural person exclusively for personal use and which is not disclosed to outsiders;
- deliberations of the Federal Assembly and in parliamentary committees;
- pending civil proceedings, criminal proceedings, international mutual assistance proceedings and proceedings under constitutional or under administrative law, with the exception of administrative proceedings of first instance;
- public registers based on private law;
- personal data processed by the International Committee of the Red Cross.
If you find the exclusion of the Red Cross a little out of left field, remember that they are a Swiss organization, founded in 1863 in Geneva. The exclusion was a recognition of the Red Cross’s humanitarian mission and a way to remove what the government considered an undue burden. In other words, even the infamously neutral Swiss play favorites sometimes. (At least it’s a global humanitarian organization. I think we’ll let them slide on this one.)
The enforcement agency is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
The Swiss Federal Act on Data Protection stipulates penalties of up to 250,000 CHF.
Here is the complete text for all relevant bills: Swiss Federal Act on Data Protection (in English); the Ordinance to the Federal Act on Data Protection; and the Ordinance on Data Protection Certification.
Localized to Switzerland.
In closing our look at European regulations, it is worth noting the current efforts to strengthen the GDPR further through what is called the ePrivacy Regulation (ePR). The ePrivacy Regulation will be a law that will govern all electronic communications within the EU. It is part of the EU’s “Single Digital Market Strategy,” and its key points revolve around the following:
- Confidential Electronic Communications. This will limit the eavesdropping on any and all electronic communications without user consent.
- SPAM and Marketing Communications consent. This will require the explicit consent across all platforms (email, text, calls, etc.) and it will require that advertisers “reveal” their true identity (including real phone numbers) in all communications.
- Consent for Individual Metadata Processing. This expands the confidentiality of electronic communications past the actual content to the metadata of the communication itself (e.g. number called, time, date, etc.)
- Behavioral Cross-Platform Confidentiality. This will require the affirmative consent of a user, across any platform, for behavioral tracking, including web site cookies.
As you can imagine, this is a fairly ambitious privacy legislation, which is why it has been stuck in debates for the better part of five years. It is a bold, “technology future proof” legislation, and as such, the obstacles to overcome are many. The 2022 version of the draft was accepted unofficially but changes still may occur. The current hope is that ePrivacy will go into effect sometime in 2023 (plus a two-year transition period), thereby further strengthening data privacy in the EU and, by extension, around the world.