The 11th September abruptly changed the debate on the relationship between public security and the protection of personal freedoms. Ever since the two aircraft reduced the twin towers of the World Trade Center in New York to smouldering rubble, there has been no let up in the discussion. Around the globe, the war on terror and the question of public security have been top of the agenda. A central issue in the debate is the question of how far data protection can be taken in view of this threat. This is a legitimate question, as data protection never operates in a vacuum. It involves the constant weighing-up of a wide variety of interests. Data protection commissioners too must respond to this challenge. At the same time it is up to society to define just how much public security it desires and how much protection of the private domain it is prepared to sacrifice in return.
As data protection officers, we have to monitor this process and ensure that the principles of the Data Protection Act, which are identical to the principles of a liberal state governed by the rule of law, are not disregarded. We have therefore repeatedly pointed out that before any reactions, the causes must be analysed and only measures that are appropriate and reasonable should be contemplated. This means that any measures proposed must in fact bring an increase in security, and it must at the same time be certain that this objective cannot be achieved by other means that have less drastic consequences for the individual.
Here two points should be emphasised: increased public security need not automatically come at the expense of protection of the individual. If it is established, for example, that poor security at US airports facilitated the attacks, it does not follow from the data protection standpoint that there is any reason not to increase security controls. Data protection after all is not meant to provide protection for criminals and terrorists.
At the same time, however, it must be stressed that a rigorous security policy can seriously undermine the basic rights of the liberal state under the rule of law. We must always remember that there is no such thing as total security. With increasing technological development, our western civilisation is becoming more and more vulnerable. Scientists and intellectuals have been analysing this phenomenon, which they have named the "risk society", and not just since 11th September. In recent decades, the prime concerns in this connection have been the risks engendered by the nuclear power industry and chemical and biochemical production processes. An added risk factor is that terrorist strategies now seek to exploit these technological risks that mankind has created. What is new about this, however, is simply that terrorists are now actually making use of this potentiality. Risk theorists have long predicted this development, but until now their warnings have fallen on deaf ears.
How is this challenge to be met in a liberal society governed by the rule of law? Could it be that, with the collapse of the towers of the World Trade Center, hopes of dealing with the risks of modern technology in a "civilised" manner were also dashed? There is in any case a great temptation no longer to talk about the acceptability of the risks created by new technologies and possible alternatives but instead to concentrate on bringing about security by using the powerful technical means that are available today to control and monitor the population. Total security would then mean the introduction of comprehensive DNA databases, combined with dragnet techniques, the setting up of offender profiles, blanket video and satellite surveillance, the linking of all existing databases, and the use of the GPS (Global Positioning System) in order to determine the location of everyone at all times. This is not a science fiction fantasy, but a vision of horror that can be realised with the aid of current technology. Orwell has long been overtaken by technological progress! In order that this nightmare does not gradually become reality, we need an open debate involving mature and responsible citizens who appreciate that total security leads to totalitarianism.
The debate on risks must therefore be radically extended if we do not wish to take on board the insidious dismantling of the free democratic state. This process is always insidious, because it is not the case that democracy, data protection and civil liberties simply exist or do not exist. These values are always more or less present, but they disappear when they are not asserted or defended. To the extent that we continually push forward with our technological capabilities (nuclear power, gene manipulation, computer technology, Internet etc.), we must also be aware that we become ever more vulnerable as a result. There is also a certain probability that disasters which are technically conceivable - and not only terrorist inspired disasters - will indeed occur. This means that the debate on risks must begin with the problem of defining what technological advances can still be accepted by society given the increase in the risks. We must operate according to the principle that just because something is technically possible does not mean that it must be done. If the debate on risk is reduced solely to the question of combating terrorism, we cut out other equally virulent dangers and end up with a false sense of security. The delicacy of this discussion is shown by the example of the Internet: no one would want to do without this ingeniously simple means of communication. Entire sectors of the economy are dependent on it, and not only global enterprises, but also the small and medium-sized companies that use it every day. If there is now the suspicion that Osama bin Laden planned and co-ordinated the attacks via the Internet, this type of danger might be countered by rigorous monitoring of internet communications, with a prohibition on encryption (as demanded by the USA). That would at the same time bring the Internet to an end, for who would be prepared to use this means of communication if he had at the same time to reckon with the intelligence services taking a look at his messages any time they wanted? What this means is that there are no longer any simple answers in our complex world. At the end of the day, we must always recognise that we live in a risk society (and that at every turn we say yes to doing so) and we must therefore be consciously aware of the risks.
My predecessor, Odilo Guntern, whom I would like at this point to acknowledge and thank for his excellent ground-breaking work as the first Federal Data Protection Commissioner, observed in his first Annual Report in 1994 that one of the tasks of the data protection commissioner was to contribute to the development of an awareness of the importance of data protection. He succeeded in doing this in an outstanding manner. It is thanks to Odilo Guntern and his staff that the Data Protection Commissioner is held in high regard by the public and its advice and opinions are sought on a daily basis. I will endeavour to ensure that this continues.
With regard to this, it may seem that internal security is currently taking precedence over all other issues. However, significant developments are underway in other areas and they too pose a challenge for data protection. In healthcare, electronic patient files are becoming increasingly prevalent and this creates opportunities and risks for data protection. We are keeping very close to this issue by participating in a project in which, for example, we would like to demonstrate how these opportunities can be exploited and the risks avoided. Along with medical records, other innovations are under discussion that must be monitored from the point of view of data protection.
An important debate is currently taking place in connection with the use of DNA analyses in criminal proceedings. In what circumstances can this type of testing be carried out and ultimately whose data can be stored in a DNA database and for how long?
Of no less significance is the ongoing revision of the Data Protection Act. It will reinforce the legal protection of the individual significantly by providing for citizens to be informed automatically if data relating to them that is particularly worthy of protection is being stored or processed. My personal wish in relation to this revision is for an increase in the personal responsibility of those involved in the processing of data. Data protection has to be used more as a selling point and consumers should prefer companies and products that set a good example when it comes to data protection. In relation to environment issues, this free-market approach has brought results for a long time: a product can distinguish itself as being particularly environmentally friendly, foodstuffs proudly display the "organic" label, and last year this brought one wholesale distributor above-average growth rates. We should strive to achieve the same results in the field of data protection. Companies that allow themselves to be subjected to a data protection inspection should be given a stamp of quality and should thus be able to gain an advantage in the market. This assumes both that the legislature should take this into account in the ongoing revision of the Act and that consumers should increasingly show a preference for those products that take data protection seriously.
Hanspeter Thür
Swiss Federal Data Protection Commissioner
[July 2002]