7 questions about data protection

1. What data is protected under data protection law?

Data protection protects the personality and fundamental rights of natural persons by regulating the processing of personal data and protecting the data subjects from processing by which the state interferes with their fundamental rights or private companies interfere with their privacy and self-determined lifestyle.

Data protection is therefore not directly aimed at the «protection of data», as the latter cannot be the bearer of rights. It also does not protect data ownership or exclusive rights to data like intellectual property law. Information held by private individuals under commercial and manufacturing secrecy or police and military secrets of the state are also generally not relevant to data protection because the interest in keeping them secret typically relates to the factual content of the information, such as a brewing recipe or weapons technology.

2. What is an individual’s ‹personality› and what is it being protected from?

The human personality as the very nucleus of data protection is what children refer to as ‹I› soon after they learn to say their own name. Legally defining the individual’s ‹I› is a challenge. Although the Federal Constitution, the Civil Code and the Federal Act on Data Protection state that the individual’s personality is legally protected, they do not define the term per se. However, according to legal theory and case law, ‹personality› refers to a person’s individual characteristics – their innermost nature – which characterise them as an individual while at the same time distinguishing them from other people.

3. Where do private and intimate spheres begin and how far do they extend?

An individual’s ‹I› is defined by their body, face, voice and behaviour. From a medical point of view, an individual’s ‹I› is situated in internal organs such as the brain. From there, the core of an individual’s intimacy and privacy extends to the outer body and the space inhabited by that individual. In that core area, data protection prevents or hinders intrusive means of data collection such as lie detectors or neural implants. Also devices such as camera-equipped drones, telephoto lenses and sensors that observe people’s behaviour in this area are also prohibited in principle.

In their digitalised everyday lives as consumers, passers-by, passengers or patients, people create and leave behind a trail of electronic information that could technically be used to draw conclusions about their personality. As a result, an individual’s intimacy and privacy – and therefore data protection – extends from their body and home to their smartphone and on to the cloud, where the private operators of data centres process vast amounts of text and voice messages, images and metadata such as websites visited or phone calls held. Data protection law sets limits on the processing and linking of data also in this extended area of privacy and intimacy.

4. Can consenting adults waive their data protection rights?

The protection of privacy is a constitutionally guaranteed fundamental right (Art. 13 of the Federal Constitution). In principle, there is no voluntary waiver of data protection rights with regard to the processing of personal data by the State. The purpose, scope and extent of data processing by the State are determined by statutory provisions that are binding for the authorities and from which they cannot be legally released in specific cases.

However, data subjects may consent to private processing of personal data that violates their privacy. That said, their waiver is only effective under data protection law if they have been fully and adequately informed in advance and their waiver is genuinely voluntary. Whether or not consent to specific data processing can be considered voluntary depends on the individual’s circumstances, for example the financial means of users of digital services: Not all users can afford to forgo the high discounts offered by private providers of goods and services in exchange for disclosing personal information as part of digital customer programmes. Furthermore, when individuals apply for employment, insurance or a rental property, high demand may not be used as a pretext for an excessive invasion of privacy by requiring applicants to provide supposedly voluntary information about their private lives. Consent given in such circumstances may prove invalid under data protection law.

5. Is privacy an outdated concept in the digital age with more and more people sharing everything about themselves on social media?

Millions of people document their lives on a daily basis with text, images and voice messages, sharing the information online with friends or paying customers or even making it accessible to the general public. However, adults seen presenting themselves in seemingly spontaneous poses for a wide audience are usually keen to portray themselves and their lives in a carefully staged manner. The vast majority of them are vulnerable and vigorously opposed to information about their actual private lives being obtained and disseminated without their consent.

Therefore, we see a growing need – rather than a decreasing one – for data protection in order to ensure that social network operators comply with their terms of use and do not process personal data that users do not share or only share selectively for their own purposes, including disclose it to third parties.

6. Are there any forms of data processing that are prohibited?

When regulating the processing of personal data by the authorities, lawmakers are obliged to respect the fundamental right to privacy and informational self-determination, with which the Federal Constitution guarantees individuals the right to lead private and self-determined lives. Any laws that were to introduce data processing activities by the State that undermined fundamental rights such as freedom of political expression and participation would be in conflict with the Constitution.

Unfortunately, the requirements of the Constitution and democracy are not always understood by the promoters of government digitalisation projects. When supervising such projects, the data protection authorities must always insist that the power-limiting mechanisms of democracy – e. g. the separation of powers, federalism or the division of administrative power among specialist authorities – not be discarded as ‹outdated practices› but rather be included in data flow automation.

The situation is different for the processing of personal data by private entities. In principle, this is permitted in Switzerland. Data protection law – which is based on principles – only provides a general, abstract answer as to when the invasion of an individual’s privacy reaches a level that cannot be justified by consent or overriding interests.

Data protection law takes a graduated approach to setting a limit for what is permissible, whereby legally binding consent to the collection of personal data can be declared invalid when data collection exceeds what is necessary for achieving the intended purpose by exploiting ignorance or a relationship of dependence.

An absolute limit is reached when an individual’s consent would deprive them of their freedom or restrict their freedom to a degree that violated morality or the law as a whole, as set out in the Civil Code.

7. How political is data protection?

Historically, the concept of data protection itself has its roots in the political model of liberalism.

In liberal constitutional states such as Switzerland, the protection of data and privacy entitles individuals to lead a private and self-determined life that goes beyond a mere right to exist. On the one hand, this principle sets liberal societies apart from totalitarian models of government and society, in which the individual is placed under collective rule; on the other hand, a model of society that is geared towards the right to enjoy life through self-fulfilment is in contrast with the efficient forms of organisation of other life forms such as insects or lifeless technology such as artificial intelligence.

Freedom would be totally eroded and privacy would become a thing of the past, for example, in a state or economic social order in which people became the mere object of collective goals in terms of absolute health, economic and police security and perhaps even absolute ecological sustainability through total monitoring and permanent self-measurement.

Irrespective of this historical derivation of data protection, data protection authorities fulfil their statutory duties in a democratic constitutional state in an apolitical manner.