Current situation and outlook

Last year notable improvements were made in the area of our national security. At every available opportunity we had argued that Switzerland's indirect right of access to information weakened the rights of its citizens, and that in all likelihood it would not stand up to the scrutiny of the European Court of Human Rights. As a result, when the review of the Federal Internal Security Act (BWIS) came before Parliament at its session in December 2011, the decision was taken to make the necessary changes. The principle has now been accepted that applicants are to be granted a direct access to information as of right, in accordance with Articles 8 and 9 of the Data Protection Act (FADP). However, that right may be suspended in cases where national security is at stake. In such circumstances, applicants may ask the FDPIC to investigate the matter; if a mistake has been committed, he may issue a recommendation.

Given that no referendum was called in reaction to the revision of the law, the Federal Council announced that it would come into force at the beginning of July 2012. At the same time, the Federal Supreme Court was considering an appeal from an applicant under Article 18 of the Internal Security Act. In its decision of 2 November 2011, the Court ruled for the first time that the law was not in conformity with the European Human Rights Convention. That decision considerably improved the legal status of the applicant. The Court held that, as a matter of principle, an indirect right of access to information complied with the requirements of the ECHR provided that there was an overriding state security interest. However, the judges ruled that whatever the law might say, the FDPIC should have the right not only to make recommendations in the event of a mistake by a state security agency, but also to issue binding instructions. It justified its position by saying that this was the only way to ensure that FDPIC and the heads of the divisions of the Federal Administrative Court could exercise their oversight functions and fulfil their duty to ensure that data processing by state security agencies was subject to an independent review. The revised Article 18 of the BWIS now explicitly grants the Federal Administrative Court the right to issue a decree in order to correct a mistake. We assume that after the entry into force of the revised BWIS, the ruling of the Supreme Court will retain its validity and that the FDPIC's recommendations will be considered binding.

This year, too, we focussed our efforts on youth education, continuing in the same vein as in the previous year. We are convinced that in a world in which social networks play such an important role, initiatives such as ours to raise the awareness of young users are important; we cannot just content ourselves with appealing to schools or parents to do the job. We have sought out partners to help us in this endeavour, partly out of necessity as our resources are limited. The NetLa project, which was initiated 2011 by the Council for the Protection of Individual Privacy, reached a broad audience of schoolchildren. In November, the last month of the campaign, more than 6000 people visited the multimedia portal, corresponding to over 225,000 clicks. In order to sensitize young adults to data security issues in conjunction with the use of the new media, we have developed a teaching aid that comes in the form of individual modules. Users have been able to access these online since the beginning of the year free of charge. Our target group is pupils who are in secondary II education (as of age 16). We have also participated in training events organised by the universities of Neuchâtel and Lausanne.  Furthermore, we have cooperated with the data protection authority of the Canton of Geneva, the University of Geneva, the Technology Observatory of Geneva, the Swiss Graduate School of Public Administration and other stakeholders on the development of the interactive service The French-language website, which will also soon be available in German, offers all persons who are in one way or another concerned with the subject of data protection and transparency answers that are precise and explicit. Currently we are looking for the financial resources necessary to develop our offerings and to provide them also in other languages. Finally, we co-organised with the Universities of Berne, Fribourg and Neuchâtel the fourth Swiss Conference on Data Protection Law.

During the course of 2011 we conducted numerous checks and investigations. For example, we inspected the video surveillance system operated by five public transport companies and suggested a few improvements, which they accepted. As part of our activities carried out within the framework of the Schengen Agreement, we visited the Swiss embassy in Moscow and made a number of recommendations. During the year under review, we successfully completed a fact-finding mission concerning a tennis club that operates a biometric reservation system and examined the data processing of credit rating agencies. We have completed our work on the «car claims information pool», a data platform for motor vehicle insurances, and thanks to our recommendations notable improvements have been introduced. We also asked an organizer of amateur sport events to introduce a variety of changes. We are still exchanging correspondence with him regarding their implementation. A new computer game has appeared on the market which has been designed to transmit data via the user's computer to the manufacturer without the former's consent. As a result, we have decided to launch an investigation.

Of the many interministerial consultations that have taken place, particular attention must be drawn to the revision of the Federal Law and Ordinance on the Surveillance of Post and Telecommunications Traffic. Here we successfully argued for the establishment of a legal basis to cover the use of GovWare. Whenever we have been involved in the preparation of a legal basis for systems used by the Federal Administration to monitor the use of electronic networks, we have highlighted the need for clear rules covering the recording, storage and analysis of so-called marginal or secondary data. As part of the revision of the law relating to the SwissDRG (Swiss Diagnosis Related Groups), we contacted a number of interested groups and demanded that the insurance companies be given only the data they really need. Furthermore, during the full overhaul of the Insurance Contract Act, we underlined the importance of enshrining the position of the medical examiner in law.

Among the many items published on our website during the year under review and listed in Section 3.3., we would like to mention in particular our explanatory comments on the revised e-Privacy Directive adopted by the EU and the booming development of Cloud Computing for the purposes of data processing.

On the subject of the transparency principle, a number of changes took place during the course of the year. The number of requests for access submitted to the Federal Administration almost doubled, and the FDPIC received 65 requests for mediation. We actually mediated 30 incidents, and in the vast majority of cases we were able to obtain a more favourable outcome for the applicant. All recommendations are summarized in Section 2.3.1 and can be viewed on our website. Following an appeal, the Federal Administrative Court examined four of our recommendations, and it ruled in our favour. Also, within the context of the revision of the Anti-Trust Law, our position that the competition authorities should not be excluded from the Transparency Act was upheld.

It is clear to us even at this stage that a number of subjects will be occupying our attention in the coming year. One of the most politically controversial issues is the request received from the US to apply the «hit/no hit» procedure to determine whether a person's fingerprints or DNA are recorded on the Swiss Codis or Afis database. During our negotiations it is important that we gain an assurance that any person who ends up on one of the two databases in error should be granted the same rights they have in Switzerland. It will be difficult to obtain such a guarantee, however, as the US simply does not offer an appropriate level of data protection, at least not from our perspective. We therefore believe that each individual case should not be examined by a privacy officer who answers to the Federal Administration, but rather by an independent judicial authority. It is equally important that in those cases where the data match, the rest of the procedure should take place within the framework of mutual legal assistance as provided for by law. In other words, the conditions for the release of personal data must be examined in each specific case on the basis of existing agreements. Under no circumstances should the request be automatically granted. It is also clear that any exchange of such data must be limited to serious criminality, and Switzerland must be granted reciprocal rights.

We have also been kept busy by the social networks, and more specifically Facebook's business policy. It is well known that the company's aim is to gain access to as much information as possible about users. This is then used to generate a personality profile that can be used for advertising purposes. Facebook, which makes billions of dollars as a result of this activity, keeps on changing its terms and conditions - to the detriment of its users and without obtaining their approval. Recently it has come to our attention that Facebook is targeting not only people who have accounts, but also those that do not use the service. In its draft terms of service dated March 2012, the company announced that these would also apply to non-users «who interact with Facebook outside the USA». A new provision has thus been introduced according to which such persons are deemed to consent to their data being transferred to, and processed in, the USA. The processing includes advertising purposes. The policy is nothing short of scandalous in that most «non-users» do not even realise that they are interacting with Facebook. How can this be? There are many websites which have a little «Like» icon which is linked to Facebook (indicated f. ex. by the presence of a small f). Facebook is automatically notified of any user visiting such a website even if the user has not clicked on the Like button. As a result, very precise personality profiles can be compiled, even of those who are so-called Facebook abstainers. We therefore intend to keep a very close eye on operators in order to ensure that all visitors to a website have the possibility of deciding whether or not they agree to their data being communicated. It is not surprising, therefore, that mistrust is growing among Parliamentarians. National Councillor Viola Amherd from the Canton of Valais submitted a parliamentary «postulate» in September 2011 requiring the government to draft a report on the legal situation with regard to the social media, to identify shortcomings, and to determine whether it might be appropriate to adopt a specific Social Media Act. She justified the motion by saying, inter alia, that the social media introduce «a new dimension into the field of communication and the use of electronic media, which may undermine the implementation of national laws and basic values.»  Need we say more?

In the field of copyright, the ruling of the Federal Supreme Court in the Logistep decision created quite a stir. Just to recap the situation, the Supreme Court decided that the company's secret identification of IP addresses in order to track down potential copyright infringers and initiate civil proceedings against them was illegal. This ruling created a degree of agitation among the rights-holders. In its 2010 Annual Report, the Supreme Court pointed out that the current legal situation was unsatisfactory, and called upon the legislator to introduce copyright protection that was adapted to the new technologies. This most remarkable and unusual initiative on the part of the Supreme Court, however, has still not prompted any reaction. In the meantime, various parliamentary motions have been submitted with a view to improving the situation. It goes without saying that copyright protection on the Internet is a very sensitive subject and has created a considerable amount of heated debate not only in Switzerland (consider the success of the Pirate Party in Germany). The position we adopted when the case came before the Court has not changed: an IP address may only be used, if at all, in cases where criminal proceedings have been initiated to determine whether an individual is guilty of copyright infringement. Only once this has been done may a civil action be brought.

Evaluation of the Federal Data Protection Act

On 9 December 2011, the Federal Council adopted a report on the evaluation of the Federal Data Protection Act and submitted it to Parliament. Apart from noting the visible effect achieved by the Data Protection Act in meeting the challenges that existed at the time it came into force, and highlighting the fact that the creation of the FDPIC has proven to be an effective instrument in enhancing the protective force of the law, the report shows that there is still more that needs to be done:

«It is the opinion of the Federal Council that the main objective of the revision of the Data Protection Act is to adapt it to the technological and social changes that have taken place since its entry into force. As a consequence, the reforms it intends to propose will focus primarily on four core issues which are associated with technological and social change: 1. the increase in the amount of data processing; 2. data processing activities which are not readily detected either by the persons concerned or by the FDPIC; 3. the increasingly international dimension of data processing; 4. the growing difficulty of keeping control of data that have already been made public.

Against this background, the Federal Council intends to examine which measures may best be suited to meeting the following aims:

  • Applying data protection regulations early on in the process: as part of the overall concept, data protection issues should, wherever this may be appropriate and feasible, be addressed when new technologies are being developed. The point is to obviate the need for corrective measures once the data protection problems come to light (development of the privacy by design concept). In addition, privacy-enhancing technologies (PETs) need to be encouraged.
  • Increasing awareness among the persons concerned: they need to be made more aware of the risks posed by the new technologies to their privacy. 
  • Increasing transparency: the transparency of data processing needs to be improved, particularly in the kind of complex situations we see today where neither the person concerned nor the FDPIC are able to detect without undue effort that data processing activities are taking place. At the same time, it would be clearly wrong to inundate the individuals concerned with too much information either.
  • Improving data control and data ownership rules: the control and ownership of data once they have been disclosed remains an important issue. We need to verify whether the FDPIC's supervisory mechanisms need to be strengthened and whether the legal rights of the persons concerned, as well as their enforcement, need to be adapted to reflect the new situation created by technological change. We may wish to consider, for example, whether it might not be advisable to strengthen collective redress mechanisms and to spell out in more detail the «right to be forgotten» rules.
  • Protection of minors: account must be taken of the fact that minors are less aware than adults of the risks and consequences of the processing of personal data.»

The Federal Council furthermore intends to examine whether the independence of the FDPIC needs to be strengthened. One of the ideas being considered is also the extension of the system of self-regulation. Industry associations will be asked to define «best practice», which could then be approved by the FDPIC.

We have backed the government's position on these issues for many years now, and we are happy that the need for action has been recognised. However, we are somewhat concerned by the timetable that has been set, since the Federal Council seems content to wait and see what reforms may be introduced in the EU. Reforms in Switzerland clearly have to be coordinated with developments in the EU. However, in our view this should not prevent the government from appointing a panel of experts to consider the issues from a Swiss perspective. Data protection is after all an area where our country should be proud to be in the vanguard and to develop home-grown solutions rather than just being content to adopt EU law.

Hanspeter Thür