Current situation and outlook
Last year notable improvements were made in the area of our national security. At every available opportunity we had argued that Switzerland's indirect right of access to information weakened the rights of its citizens, and that in all likelihood it would not stand up to the scrutiny of the European Court of Human Rights. As a result, when the review of the Federal Internal Security Act (BWIS) came before Parliament at its session in December 2011, the decision was taken to make the necessary changes. The principle has now been accepted that applicants are to be granted a direct access to information as of right, in accordance with Articles 8 and 9 of the Data Protection Act (FADP). However, that right may be suspended in cases where national security is at stake. In such circumstances, applicants may ask the FDPIC to investigate the matter; if a mistake has been committed, he may issue a recommendation.
Given that no referendum was called in reaction to the revision of the law, the Federal Council announced that it would come into force at the beginning of July 2012. At the same time, the Federal Supreme Court was considering an appeal from an applicant under Article 18 of the Internal Security Act. In its decision of 2 November 2011, the Court ruled for the first time that the law was not in conformity with the European Human Rights Convention. That decision considerably improved the legal status of the applicant. The Court held that, as a matter of principle, an indirect right of access to information complied with the requirements of the ECHR provided that there was an overriding state security interest. However, the judges ruled that whatever the law might say, the FDPIC should have the right not only to make recommendations in the event of a mistake by a state security agency, but also to issue binding instructions. It justified its position by saying that this was the only way to ensure that FDPIC and the heads of the divisions of the Federal Administrative Court could exercise their oversight functions and fulfil their duty to ensure that data processing by state security agencies was subject to an independent review. The revised Article 18 of the BWIS now explicitly grants the Federal Administrative Court the right to issue a decree in order to correct a mistake. We assume that after the entry into force of the revised BWIS, the ruling of the Supreme Court will retain its validity and that the FDPIC's recommendations will be considered binding.
This year, too, we focussed our efforts on youth education, continuing in the same vein as in the previous year. We are convinced that in a world in which social networks play such an important role, initiatives such as ours to raise the awareness of young users are important; we cannot just content ourselves with appealing to schools or parents to do the job. We have sought out partners to help us in this endeavour, partly out of necessity as our resources are limited. The NetLa project, which was initiated 2011 by the Council for the Protection of Individual Privacy, reached a broad audience of schoolchildren. In November, the last month of the campaign, more than 6000 people visited the multimedia portal, corresponding to over 225,000 clicks. In order to sensitize young adults to data security issues in conjunction with the use of the new media, we have developed a teaching aid that comes in the form of individual modules. Users have been able to access these online since the beginning of the year free of charge. Our target group is pupils who are in secondary II education (as of age 16). We have also participated in training events organised by the universities of Neuchâtel and Lausanne. Furthermore, we have cooperated with the data protection authority of the Canton of Geneva, the University of Geneva, the Technology Observatory of Geneva, the Swiss Graduate School of Public Administration and other stakeholders on the development of the interactive service Thinkdata.ch. The French-language website, which will also soon be available in German, offers all persons who are in one way or another concerned with the subject of data protection and transparency answers that are precise and explicit. Currently we are looking for the financial resources necessary to develop our offerings and to provide them also in other languages. Finally, we co-organised with the Universities of Berne, Fribourg and Neuchâtel the fourth Swiss Conference on Data Protection Law.
During the course of 2011 we conducted numerous checks and investigations. For example, we inspected the video surveillance system operated by five public transport companies and suggested a few improvements, which they accepted. As part of our activities carried out within the framework of the Schengen Agreement, we visited the Swiss embassy in Moscow and made a number of recommendations. During the year under review, we successfully completed a fact-finding mission concerning a tennis club that operates a biometric reservation system and examined the data processing of credit rating agencies. We have completed our work on the «car claims information pool», a data platform for motor vehicle insurances, and thanks to our recommendations notable improvements have been introduced. We also asked an organizer of amateur sport events to introduce a variety of changes. We are still exchanging correspondence with him regarding their implementation. A new computer game has appeared on the market which has been designed to transmit data via the user's computer to the manufacturer without the former's consent. As a result, we have decided to launch an investigation.
Of the many interministerial consultations that have taken place, particular attention must be drawn to the revision of the Federal Law and Ordinance on the Surveillance of Post and Telecommunications Traffic. Here we successfully argued for the establishment of a legal basis to cover the use of GovWare. Whenever we have been involved in the preparation of a legal basis for systems used by the Federal Administration to monitor the use of electronic networks, we have highlighted the need for clear rules covering the recording, storage and analysis of so-called marginal or secondary data. As part of the revision of the law relating to the SwissDRG (Swiss Diagnosis Related Groups), we contacted a number of interested groups and demanded that the insurance companies be given only the data they really need. Furthermore, during the full overhaul of the Insurance Contract Act, we underlined the importance of enshrining the position of the medical examiner in law.
Among the many items published on our website during the year under review and listed in Section 3.3., we would like to mention in particular our explanatory comments on the revised e-Privacy Directive adopted by the EU and the booming development of Cloud Computing for the purposes of data processing.
On the subject of the transparency principle, a number of changes took place during the course of the year. The number of requests for access submitted to the Federal Administration almost doubled, and the FDPIC received 65 requests for mediation. We actually mediated 30 incidents, and in the vast majority of cases we were able to obtain a more favourable outcome for the applicant. All recommendations are summarized in Section 2.3.1 and can be viewed on our website. Following an appeal, the Federal Administrative Court examined four of our recommendations, and it ruled in our favour. Also, within the context of the revision of the Anti-Trust Law, our position that the competition authorities should not be excluded from the Transparency Act was upheld.
It is clear to us even at this stage that a number of subjects will be occupying our attention in the coming year. One of the most politically controversial issues is the request received from the US to apply the «hit/no hit» procedure to determine whether a person's fingerprints or DNA are recorded on the Swiss Codis or Afis database. During our negotiations it is important that we gain an assurance that any person who ends up on one of the two databases in error should be granted the same rights they have in Switzerland. It will be difficult to obtain such a guarantee, however, as the US simply does not offer an appropriate level of data protection, at least not from our perspective. We therefore believe that each individual case should not be examined by a privacy officer who answers to the Federal Administration, but rather by an independent judicial authority. It is equally important that in those cases where the data match, the rest of the procedure should take place within the framework of mutual legal assistance as provided for by law. In other words, the conditions for the release of personal data must be examined in each specific case on the basis of existing agreements. Under no circumstances should the request be automatically granted. It is also clear that any exchange of such data must be limited to serious criminality, and Switzerland must be granted reciprocal rights.
We have also been kept busy by the social networks, and more specifically Facebook's business policy. It is well known that the company's aim is to gain access to as much information as possible about users. This is then used to generate a personality profile that can be used for advertising purposes. Facebook, which makes billions of dollars as a result of this activity, keeps on changing its terms and conditions - to the detriment of its users and without obtaining their approval. Recently it has come to our attention that Facebook is targeting not only people who have accounts, but also those that do not use the service. In its draft terms of service dated March 2012, the company announced that these would also apply to non-users «who interact with Facebook outside the USA». A new provision has thus been introduced according to which such persons are deemed to consent to their data being transferred to, and processed in, the USA. The processing includes advertising purposes. The policy is nothing short of scandalous in that most «non-users» do not even realise that they are interacting with Facebook. How can this be? There are many websites which have a little «Like» icon which is linked to Facebook (indicated f. ex. by the presence of a small f). Facebook is automatically notified of any user visiting such a website even if the user has not clicked on the Like button. As a result, very precise personality profiles can be compiled, even of those who are so-called Facebook abstainers. We therefore intend to keep a very close eye on operators in order to ensure that all visitors to a website have the possibility of deciding whether or not they agree to their data being communicated. It is not surprising, therefore, that mistrust is growing among Parliamentarians. National Councillor Viola Amherd from the Canton of Valais submitted a parliamentary «postulate» in September 2011 requiring the government to draft a report on the legal situation with regard to the social media, to identify shortcomings, and to determine whether it might be appropriate to adopt a specific Social Media Act. She justified the motion by saying, inter alia, that the social media introduce «a new dimension into the field of communication and the use of electronic media, which may undermine the implementation of national laws and basic values.» Need we say more?
In the field of copyright, the ruling of the Federal Supreme Court in the Logistep decision created quite a stir. Just to recap the situation, the Supreme Court decided that the company's secret identification of IP addresses in order to track down potential copyright infringers and initiate civil proceedings against them was illegal. This ruling created a degree of agitation among the rights-holders. In its 2010 Annual Report, the Supreme Court pointed out that the current legal situation was unsatisfactory, and called upon the legislator to introduce copyright protection that was adapted to the new technologies. This most remarkable and unusual initiative on the part of the Supreme Court, however, has still not prompted any reaction. In the meantime, various parliamentary motions have been submitted with a view to improving the situation. It goes without saying that copyright protection on the Internet is a very sensitive subject and has created a considerable amount of heated debate not only in Switzerland (consider the success of the Pirate Party in Germany). The position we adopted when the case came before the Court has not changed: an IP address may only be used, if at all, in cases where criminal proceedings have been initiated to determine whether an individual is guilty of copyright infringement. Only once this has been done may a civil action be brought.