A‑3548/2018: Decis­i­on of the Fede­ral Admi­ni­stra­ti­ve Court in the case of Helsana+.

The Fede­ral Admi­ni­stra­ti­ve Court has ruled in the mat­ter of FDPIC vs. Hels­a­na regar­ding the Hels­a­na+ app han­ded down the long-awai­ted ver­dict (Judgment A‑3548/2018 of 19 March 2019). The Hels­a­na+ app is an app for the Hels­a­na+ bonus pro­gram, whe­re par­ti­ci­pan­ts can coll­ect points and con­vert them into bonu­ses. Among other things, que­sti­ons aro­se in con­nec­tion with con­sent, with the dis­clo­sure of per­so­nal data by basic insu­r­ers. Also in dis­pu­te was the que­sti­on of whe­ther the bonus pro­gram for app users vio­la­ted the pro­hi­bi­ti­on of pre­mi­um refunds under health insu­rance law and – if so – whe­ther this meant that the asso­cia­ted data pro­ce­s­sing was also unlawful (within the mea­ning of Art. 4 (1) of the Ger­man Data Pro­tec­tion Act). FDPA) are (what the FDPIC had asserted).


The app works – in the asses­sed ver­si­on – as fol­lows (E. A):

The Hels­a­na sup­ple­men­ta­ry insu­ran­ces AG ope­ra­tes the app-based bonus pro­gram “Hels­a­na+” […]. Par­ti­ci­pan­ts in the pro­gram can coll­ect […] plus points, which they can con­vert into bonu­ses […]. Only poli­cy­hol­ders of an insu­rance com­pa­ny of Hels­a­na are eli­gi­ble for bonu­ses AG (Hels­a­na sup­ple­men­ta­ry insu­ran­ces AG, Hels­a­na Insu­ran­ces AG and Pro­gres Insu­ran­ces AG). The app does not trans­mit health and move­ment data […]. Dif­fe­rent bonu­ses are gran­ted for poli­cy­hol­ders of the man­da­to­ry health care insu­rance and the sup­ple­men­ta­ry insu­rance. For the deter­mi­na­ti­on of the eli­gi­bi­li­ty as well as the cal­cu­la­ti­on of the amount of the bonu­ses cla­ri­fi­es the Hels­a­na sup­ple­men­ta­ry insu­rance AG The insu­red cha­rac­te­ri­stics of the par­ti­ci­pan­ts from. For this pur­po­se, it requests from them, as part of the regi­stra­ti­on pro­cess via the app, the Con­sent one, Data from the Hels­a­na Group’s com­pul­so­ry health insu­rance for sup­ple­men­ta­ry insu­rance to be transferred.

In doing so, the terms of use provided:

For the regi­stra­ti­on and iden­ti­fi­ca­ti­on of the user for the full ver­si­on, the spe­ci­fi­ca­ti­on of the insu­rance num­ber, the ZIP CODE and date of birth and e‑mail address are required.

Hels­a­na is entit­led, to view the rele­vant data of the respec­ti­ve insu­rance com­pa­nies of the Hels­a­na Group for the pur­po­se of iden­ti­fy­ing the user.

In Sec­tion B.4, “Con­sent to Match with User’s Insu­red Data,” the regu­la­ti­ons fur­ther provided:

The user express­ly agrees, that Hels­a­na, within the frame­work of the pro­ce­s­sing of the Hels­a­na+ App may access the User’s insu­red data held by the insu­rance com­pa­nies of the Hels­a­na Group.

Even befo­re the BVG ruling, howe­ver, Hels­a­na chan­ged the way the app works. The basic insurer no lon­ger dis­c­lo­ses any data. Instead, par­ti­ci­pan­ts upload a pho­to of their health insu­rance card. Con­sent is the­r­e­fo­re no lon­ger requi­red, which is why the BVGer’s decis­i­on no lon­ger has any effect on the app.

On the lega­li­ty within the mea­ning of Art. 4 para. 1 FDPA

On this point, the ruling is clear: a vio­la­ti­on of legal pro­vi­si­ons only leads to the unlawful­ness of data pro­ce­s­sing, if the vio­la­ted norm aims at the pro­tec­tion of per­so­na­li­ty:

5.4.4 In sum­ma­ry, the prin­ci­ple of the lega­li­ty of Art. 4 para. 1 FDPA to be under­s­tood in such a way that a data pro­ce­s­sing for an ille­gal pur­po­se only then unlawful­ly within the mea­ning of the Data Pro­tec­tion Act is if, in doing so, it vio­la­tes a stan­dard that is at least also, direct­ly or indi­rect­ly, aims to pro­tect the per­so­na­li­ty of a per­son.

In con­trast, the vio­la­ti­on of a norm is irrele­vant in terms of data pro­tec­tion law if this norm does not aim to pro­tect per­so­na­li­ty. This is in its­elf self-evi­dent, becau­se like any other area of law, data pro­tec­tion law has its own pro­tec­ti­ve pur­po­se, even if data pro­tec­tion law has the poten­ti­al to beco­me an undif­fe­ren­tia­ted super-regu­la­ti­on due to its broad fac­tu­al scope – pro­ce­s­sing of per­so­nal data. But if one were to view every vio­la­ti­on of law as a data pro­tec­tion vio­la­ti­on as soon as per­so­nal data is pro­ce­s­sed in the pro­cess, then – only slight­ly exag­ge­ra­ted – the Clean Air Ordi­nan­ce would also have to be vio­la­ted if the per­pe­tra­tor brea­thes. The­re are cer­tain­ly signs that the regu­la­to­ry cla­im of data pro­tec­tion law is being overs­t­ret­ched, if one thinks of pro­vi­si­ons with anti­trust impli­ca­ti­ons such as the right to data por­ta­bi­li­ty, which is also pro­pa­ga­ted in Switz­er­land, or the fact that the ingress of the revi­sed Data Pro­tec­tion Act recent­ly also inclu­des Art. 97 Para. 1 BV is the con­sti­tu­tio­nal basis of con­su­mer pro­tec­tion law. Against this back­ground, the recent decis­i­on by the Ger­man Fede­ral Car­tel Office in the Face­book mat­ter as a justi­fi­ed reac­tion of anti­trust law to attempts of appro­pria­ti­on by data pro­tec­tion law. With the ruling of the BVGer, it is now hop­eful­ly clear that the Data pro­tec­tion law is not a vehic­le for hel­ping other types of regu­la­to­ry objec­ti­ves to achie­ve a breakth­rough.. This beco­mes even more important when data pro­tec­tion sanc­tions are strengthened.

For con­sent

The con­side­ra­ti­ons of the FAC on the sub­ject of con­sent are signi­fi­cant for prac­ti­ce. Here the FAC gave the FDPIC par­ti­al­ly right: The con­sent of the basic insu­red users of the app to the dis­clo­sure of their data to the ope­ra­tor of the app, the car­ri­er of the sup­ple­men­ta­ry insu­rance, was invalid.

Why a con­sent requirement?

The FAC appar­ent­ly saw a requi­re­ment for con­sent for two reasons:

  1. The pro­ce­s­sing of per­so­nal data from the basic insu­rance (the com­pul­so­ry health care insu­rance, “OKP”) in the con­text of the app vio­la­tes, in the view of the BVGer, the Ear­mar­king prin­ci­ple (E. 4.7), which requi­res justification.
  2. Then, within the frame­work of the app, an initi­al Dis­clo­sure of data by a basic insu­rance car­ri­er to Hels­a­nabecau­se the basic insu­rance sta­tus was rele­vant, among other things, for cal­cu­la­ting the amount of the bonu­ses. Hels­a­na, as the ope­ra­tor of the app, the­r­e­fo­re had the OKP insurer con­firm that par­ti­ci­pa­ting users had basic insu­rance. In the opi­ni­on of the FAC, this con­sti­tu­tes a dis­clo­sure of data by the OKP insurer. Such a dis­clo­sure of data is not per­mit­ted in the con­text of Art. 84a KVG per­mis­si­ble in cer­tain con­stel­la­ti­ons, inclu­ding with con­sent within the mea­ning of Art. 84a (5) lit. b KVG.

In its exami­na­ti­on of con­sent, the FAC more or less fol­lows this struc­tu­re, i.e. it first exami­nes the effec­ti­ve­ness of con­sent accor­ding to gene­ral prin­ci­ples and then asks whe­ther con­sent to dis­clo­sure by the OKP insurer was given pri­or to Art. 84a para. 5 KVG withstands.

Tying ban not violated

First of all, the FAC held that the Tying ban not vio­la­ted was, i.e., that the lin­king of the app and con­sent did not inva­li­da­te the vol­un­t­a­ry natu­re of the con­sent. The FDPIC had taken the view in its lawsu­it that con­sent was invol­un­t­a­ry becau­se access to the app was lin­ked to con­sent. The BVGer now sees this differently:

  • On the one hand, the cou­pling not extra­neous:

    Con­tra­ry to the plaintiff’s sub­mis­si­ons, the con­sent is vol­un­t­a­ry, as the Dis­ad­van­ta­ge threa­ten­ed in the event of non-con­sent – the impos­si­bi­li­ty of par­ti­ci­pa­ting in the Hels­a­na+ pro­gram – a direct refe­rence to the data for the pro­ce­s­sing of which con­sent is obtai­ned and thus the­re is no imper­mis­si­ble coer­ci­on to grant con­sent […]: Wit­hout obtai­ning the per­so­nal data, the defen­dant can­not check whe­ther the­re is an insu­red rela­ti­on­ship with ano­ther insu­rance com­pa­ny of the Hels­a­na Group, which in turn is a pre­re­qui­si­te for par­ti­ci­pa­ti­on in the Hels­a­na+ pro­gram, and entit­les to bonus points under the program.

  • On the other hand, it was also due to the fact that the pro­gram par­ti­ci­pa­ti­on had mone­ta­ry advan­ta­ges, no undue coer­ci­on :

    The fact alo­ne that the defen­dant adver­ti­ses par­ti­ci­pa­ti­on in the pro­gram with mone­ta­ry bene­fits and in par­ti­cu­lar with cash bonu­ses (in the amount of a maxi­mum of Fr. 75 per year for per­sons with basic insu­rance only) also does not con­sti­tu­te imper­mis­si­ble coercion.

This atti­tu­de of the FAC was not neces­s­a­ri­ly self-evi­dent, espe­ci­al­ly sin­ce the BGVer its­elf – in the KSS decis­i­on (A‑3908/2008 of 4.8.2009) – had taken a rather rest­ric­ti­ve stance. With the pre­sent ruling, howe­ver, it should now be clear that lin­king access to a ser­vice to con­sent is at least harm­less if the link is appro­pria­te, i.e. if the data pro­ce­s­sing in que­sti­on is inher­ent in the design of the ser­vice in que­sti­on. It is not enti­re­ly clear, howe­ver, whe­ther and under what cir­cum­stances dis­pro­por­tio­na­te bene­fits ren­der vol­un­t­a­ri­ness inva­lid. Howe­ver, the quo­ted pas­sa­ge sounds at least as if mone­ta­ry bene­fits can­not in prin­ci­ple ren­der the vol­un­t­a­ry natu­re of con­sent invalid.

Art. 84a para. 5 KVG violated

With refe­rence to the dis­clo­sure by the OKP insurer, the BVG exami­nes the requi­re­ments of Art. 84a para. 5 lit. b KVG. After that, per­so­nal data may be disclosed, 

pro­vi­ded that the per­son con­cer­ned con­sen­ted to in wri­ting in indi­vi­du­al cases or, if it is not pos­si­ble to obtain con­sent, it may be pre­su­med under the cir­cum­stances to be in the inte­rest of the insu­red person.

Against this back­ground, the BVG does not see any effec­ti­ve con­sent to the dis­clo­sure of data: 

  • From Art. 84a para. 5 lit. b KVG and also from Art. 19 para. 1 lit. b FDPA name­ly fol­lows that con­sent only “in indi­vi­du­al cases is effec­ti­ve. This is not the case here, becau­se the data is obtai­ned auto­ma­ti­cal­ly seve­ral times a year as part of the app. This is not an indi­vi­du­al case. This is not a self-evi­dent con­clu­si­on, becau­se the mea­ning of “in an indi­vi­du­al case” is by no means clear. This requi­re­ment is also found in Art. 6 (2) lit. b FDPA in the case of dis­clo­sure abroad, and here the prac­ti­ce assu­mes that “in indi­vi­du­al cases” means as much as “for cle­ar­ly deter­mi­ned, but pos­si­bly repe­ti­ti­ve” data pro­ce­s­sing. Howe­ver, the FAC seems to under­stand the indi­vi­du­al case lite­ral­ly, i.e. for indi­vi­du­al, non-repe­ti­ti­ve cases. It refers to a refe­rence in the lite­ra­tu­re (Eugster), which actual­ly says so, but does not justi­fy this fur­ther. One would have wis­hed for a more detail­ed dis­cus­sion of this prac­ti­cal­ly important que­sti­on. From the point of view of the pro­tec­tion of the data sub­ject, the rest­ric­ti­ve inter­pre­ta­ti­on of the FAC is in any case not neces­sa­ry, becau­se the­re is no rea­son to assu­me that con­sent would not be gran­ted repea­ted­ly for a spe­ci­fi­cal­ly descri­bed case.
  • Moreo­ver, the­re was a lack of Wri­ting, which Art. 84a para. 5 lit. b KVG is requi­red. Here, the FAC refers to Art. 14 OR (hand­writ­ten signa­tu­re), which is based on Art. 7 ZGB is not absurd, but it is also not man­da­to­ry. The­re would cer­tain­ly be room for a dif­fe­ren­tia­ted inter­pre­ta­ti­on of the con­cept of writ­ten form depen­ding on the area of law. Here, too, one would have wis­hed for more in-depth dis­cus­sions, and the last word on this sub­ject has cer­tain­ly not yet been spoken.

Trans­pa­ren­cy requirements

Next, the FAC also sees the Infor­ma­ti­on requi­re­ment vio­la­ted (“infor­med” con­sent), for two reasons:

  • Con­sent, he said, is given in “exten­si­ve terms of use and data pro­tec­tion”, which makes it dif­fi­cult to know what data pro­ce­s­sing is being con­sen­ted to; and
  • the con­sent do not refer to a spe­ci­fic pur­po­se of the data pro­ce­s­sing and limit not limi­t­ed to the few, con­cre­te­ly requi­red data pointsbut was for­mu­la­ted “broad­ly and wit­hout restrictions”.

Here, too, the BVGer’s decis­i­on is at least some­what super­fi­ci­al. The requi­re­ments for infor­med con­sent are deri­ved from the prin­ci­ple of good faith and are the­r­e­fo­re varia­ble depen­ding on the risk. In the case at hand, the con­sent requi­red by the OKP Howe­ver, the data trans­mit­ted was com­ple­te­ly harm­less – it was essen­ti­al­ly a mat­ter of con­fir­ming that a par­ti­cu­lar per­son was inde­ed cover­ed by basic insu­rance with Hels­a­na. This is neither a data item that is par­ti­cu­lar­ly wort­hy of pro­tec­tion nor any other sen­si­ti­ve infor­ma­ti­on. Why a rest­ric­tion to cer­tain data points should be neces­sa­ry here is not clear from the decis­i­on, and it is also not plau­si­ble in sub­stance. Broad­ly for­mu­la­ted cons­ents are sim­ply unavo­ida­ble and must be inter­pre­ted rest­ric­tively, but they are not fun­da­men­tal­ly inva­lid. More important is the limi­ta­ti­on of the con­sent to a spe­ci­fic pur­po­se. In the pre­sent case, howe­ver, it was pro­ba­b­ly obvious that the con­sent was given for the pur­po­se of pro­ce­s­sing the app. Not expli­ci­t­ly sta­ting this again does not make con­sent inva­lid, at least not for tri­vi­al data like in this case.

Prin­ci­ple of lega­li­ty vs. consent

Par­ti­cu­lar­ly note­wor­t­hy is the fol­lo­wing con­side­ra­ti­on of the FAC, per­haps even the most important point in the judgment:

4.8.2 Sin­ce Hels­a­na Insu­rance is AG and the Pro­gres insu­ran­ces AG As both the insu­rance com­pa­nies and the defen­dant are legal enti­ties, the dis­clo­sure of per­so­nal data of one of the­se insu­rance com­pa­nies to the defen­dant is dee­med to be dis­clo­sure to a third par­ty. The dis­clo­sure of per­so­nal data from the com­pul­so­ry health care insu­rance takes place in the pre­sent case Not in the per­for­mance of a duty assi­gned by the Health Insu­rance Act.. […] An excep­ti­on to the obli­ga­ti­on to main­tain sec­re­cy under social secu­ri­ty law is the­r­e­fo­re only pos­si­ble in the pre­sent case under the fol­lo­wing con­di­ti­ons cumu­la­ti­ve requi­re­ments of Art. 19 Para. 1 FDPA and Art. 84a para. 5 let. b KVG lawful, that is, if the per­son con­cer­ned has con­sen­ted in wri­ting in the indi­vi­du­al case.

From this it can only be con­clu­ded that com­pli­ance with Art. 84a KVG not only a vio­la­ti­on of the sec­re­cy obli­ga­ti­on of Art. 33 ATSG but also the requi­re­ment of a legal basis for the dis­clo­sure of data. This should also sett­le the que­sti­on of whe­ther con­sent within the mea­ning of Art. 17(2)(c) and Art. 19(2)(b) is requi­red. FDPA only from the requi­re­ment of for­mal legal basis dis­pen­sed with or, more gene­ral­ly, from the requi­re­ment of a legal basis: Effec­ti­ve con­sent is sur­ro­ga­te for a legal basis. This is the only way to explain why the FAC would allow data to be dis­c­lo­sed on the basis of effec­ti­ve con­sent, even though the OKP pro­vi­der would have no basis for this in the KVG (which is not so clear in this case – one could have based the dis­clo­sure on Art. 19 para. 1 of the Ger­man Civil Code). KVG can sup­port: “Insu­r­ers pro­mo­te the pre­ven­ti­on of diseases”).

Moreo­ver, the first sen­tence in the cited E. 4.8.2 almost seems to sug­gest that, in the view of the FAC, a dis­clo­sure of data within the same legal enti­ties does not neces­s­a­ri­ly com­ply with the rest­ric­tions of Art. 84a KVG is sub­ject to. This would be sur­pri­sing, becau­se until now it has gene­ral­ly been assu­med that the con­fi­den­tia­li­ty requi­re­ment of Art. 33 ATSG also applies within the same orga­nizati­on, which is why a data dis­clo­sure from the OKP into the sup­ple­men­ta­ry insu­rance poten­ti­al­ly Art. 33 ATSG vio­la­tes and the­r­e­fo­re meets the requi­re­ments of Art. 84a KVG is sub­ject to. This results in a sepa­ra­ti­on requi­re­ment that is dif­fi­cult to imple­ment. Howe­ver, it can hard­ly be infer­red from the pre­sent ruling that the Fede­ral Admi­ni­stra­ti­ve Court wants to abo­lish this.




Rela­ted articles