Foreword

Opportunity makes the thief, or so the saying goes. Apply this analogy to data protection, and one could say: every new database whets the appetite for new uses. Why does this pose a problem?

There is a real risk that important principles set out in the Data Protection Act (DPA) may not be respected, for example the purpose limitation requirement. According to this important principle, data may only be used for the purpose for which it was originally collected. A patient who goes to the doctor must be able to expect that without his consent, his address will not be communicated to the pharmaceutical company that produces the medicine he has been prescribed.

Although this principle seems evident, in practice the creation of new databases produces an insatiable appetite for ever more data which cannot always be checked. The authorities are often extremely keen to get their hands on the data associated with the charge cards issued by department stores. What is permitted? In the context of criminal proceedings, the name of the card-holder obviously has to be revealed. Data protection can never serve as an excuse to protect offenders. However, the situation is less clear-cut when, as happened recently, the federal tax administration demanded that a major retailer hand over all its data on a particular customer in connection with a VAT inspection, even though the information revealed very little about the effective purchasing behaviour of the card-holder concerned. The reason is that cards may be used very selectively or indeed by other persons. The department store in question quite rightly refused the request. Had it not done so, it would have been in breach of the Data Protection Act.

These examples demonstrate that the authorities' desire for ever more data is likely to grow, just as there is a growing need to gain access to all kinds of existing databases. We need look no further than across our borders to have an idea what lies in store. In Germany, for example, a law allowing a number of different authorities (the inland revenue, the child benefit department, the national scholarship office, the social welfare department and the housing department) to obtain access to citizens' bank accounts was adopted almost without a protest. As a result, many civil servants can now gain access to a person's private sphere even if they have no grounds for suspecting that dishonest acts have been committed. It will be interesting to see how the German Constitutional Court will rule on a complaint brought by two persons who have been directly affected by this.

In the USA, the flow of data between private companies and the federal administration has already reached considerable proportions. A report from the General Accounting Office (the equivalent of the Control Committee in Switzerland) reveals that there are a number of projects in which private companies (e.g. credit card issuers and credit inquiry agencies) provide the administration with data. The American Civil Liberties Union has voiced its concern about the fact that private companies (banks, airlines, credit card companies, car rental firms, etc.) are increasingly selling their customer data collections to the administration. Large professional address brokers are able to produce lists of persons who are on anti-depressants, believe in the bible, play online games or buy erotic toys. This trend has increased exponentially ever since the war on terrorism began. The Patriot Act actually requires private firms to pass on data.

Laws which are meant to prevent excesses are often sloppily drafted. Shortly after Germany adopted the Motorway Toll Act, which only allows the data collected to be used for very specific purposes, the law enforcement authorities demanded that they be given data which can be used to track down speed offenders. It was only after the intervention of the German Data Protection Commissioner that the legislator introduced a clarification according to which the transfer, use or confiscation of data under the terms of other legal provisions is not lawful. But what happens if the legislator changes its mind in a couple of years' time?

Some may ask, what has this to do with Switzerland. To begin with, experience has taught us that developments such as the ones described above do not just skirt around our country and vanish into the distance. Here, too, the emergence of new databases creates new needs. Once data have been collected, they can be used for a variety of purposes. And as processing tools become more and more sophisticated, the possibilities for their use grow. Secondly, we need only cast our eyes across our borders to realize the problems that could arise as a result of the transnational exchange of data. We need to keep asking ourselves whether the country concerned guarantees a sufficient level of data protection and thus whether it is safe to allow the data to be transferred.

Another more general question is whether, in view of such developments, any reference to the private sphere has become obsolete. There have long been advocates of a position diametrically opposed to ours. For example, David Brin depicts in his book, "The Transparent Society", a vision of a society in which everyone can and is allowed to observe what everyone else is doing. The fact that many people do not object to being monitored is clear from the growing number of private webcams as well as the video cameras installed in many discotheques which broadcast live pictures on to the internet. The "I don't have anything to hide" mentality is behind the call for the creation of a DNA database covering the entire population. The principle of innocent until proven guilty, which is a central tenet of a liberal democracy, thus falls by the wayside.

Sometimes one gets the feeling that western civilization, which expanded and thrived thanks to the liberal and enlightened spirit of its founding fathers and proved to be superior to, and outlived, authoritarian communist regimes, has grown tired of defending civil liberties. Increasingly, people are seeking salvation in more control and surveillance. When people stop defending their basic rights and freedoms - and the protection of privacy is definitely one of the most important - they no longer deserve them!

Finally, we are reminded that even in the field of data protection insular solutions will get us nowhere, and that in a globalised world with global data flows the adoption of internationally valid data protection rules is of the utmost importance.

That is precisely the purpose of the 27th International Conference of Data Protection and Privacy Commissioners which is due to be held for the first time in Switzerland this year (Montreux, 14-16 September 2005). We are particularly pleased that the Swiss Federal Data Protection Commissioner is being given the honour to host this event. The motto of the meeting - "The protection of personal data and the private sphere in a globalized world" will lead us straight to this issue. On exactly the 10th anniversary of the adoption of EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the time has come for us to take stock. Did the Directive fulfil our expectations? How does it fit in with the current international context? Do we need a new initiative at a global level in order to strengthen and harmonize data protection? At this conference we will be adopting a final declaration which will provide answers to these questions.

Hanspeter Thür

[July 2005]

https://www.edoeb.admin.ch/content/edoeb/en/home/dokumentation/taetigkeitsberichte/aeltere-berichte/12--taetigkeitsbericht-2004-2005/vorwort.html