Position of the SDPC on the Revision of the Data Protection Act

The SDPC is generally in support of the proposals for the amendment of the FADP that have been made in the two dispatches from the Federal Council previously mentioned. As we remarked in our 8th Annual Report (Chapter I.12), we would have favoured a more extensive revision of the FADP and more consistency in bringing the FADP in line with European law. We welcome the introduction of certification and of the data protection seal of approval, which further reinforce the autonomy and responsibilities of the controllers of data files. In addition, we would point out that a balance has been found in the Government Transparency Act between allowing access to official documents and the requirements relating to the protection of personal privacy. However, we have intimated our reservations with regard to the introduction of a provision that allows the Federal Council to authorise the automated processing of particularly sensitive data or personality profiles before a formal Federal Act comes into force. In our opinion, this provision on the one hand goes beyond the "online connections" motion, which called for a basis in law for online access only. On the other, we are of the view that a modification of the principle of legality, whereby all administrative action must have a statutory basis, is also required - particularly in order to take account of the complexity of systems that process personal data and the developments in the way in which federal government organs fulfil their duties - but we would have wished for more detailed deliberations on the requirements of the principle of legality and on the procedures for its implementation. As in some European legislation, certain processing procedures could be made subject to the prior approval of the Federal Data Protection Commissioner. In a subsequent phase, the reinforcement of the rights of the person affected and the simplification of the procedure in the private sector are, in our opinion, essential in order that private individuals are better placed to assert their rights. Furthermore, the use of data protection-friendly technologies should be encouraged, for example by imposing a duty on those processing personal data to make instruments available that allow private individuals to exercise their rights when using online services. Self-regulation could also be made more strict. The extended autonomy of those responsible for data processing must however entail the introduction of preventive and, in the event of abuse, repressive control measures. This means that the SDPC will play a more active role in the future. It is important to avoid a situation where private individuals are left completely unprotected when data relating to them is processed. A policy therefore has to be devised that encourages the acknowledgement and observation of the principles of data protection and that permits the persons affected to exercise their rights effectively. The SDPC must ensure that the rules are followed and integrated into data processing procedures. This approach requires a revision of the powers of the SDPC. The SDPC should not only monitor compliance with the statutory conditions, but also take the measures that are required in the event of any infringements and have the power to impose sanctions where appropriate. To achieve effective supervision requires resources (currently inadequate) and the authority to adjudicate (see also Section 12.1 of the Annual Report). In keeping with other data protection authorities in Europe and other supervisory authorities in Switzerland, such as the Federal Competition Commission, the SDPC should also have the power to impose sanctions. In addition, a right of appeal against rulings by federal agencies (similar to that provided for in the Data Protection Act of the Canton of Glarus) could be introduced.

[July 2003]