A‑3548/2018: Deci­si­on of the Federal Admi­ni­stra­ti­ve Court in the case of Helsana+.

The Federal Admi­ni­stra­ti­ve Court has ruled in the mat­ter of FDPIC vs. Helsa­na regar­ding the Helsa­na+ app han­ded down the long-awai­ted ver­dict (Judgment A‑3548/2018 of 19 March 2019). The Helsa­na+ app is an app for the Helsa­na+ bonus pro­gram, whe­re par­ti­ci­pants can collect points and con­vert them into bonu­ses. Among other things, que­sti­ons aro­se in con­nec­tion with con­sent, with the dis­clo­sure of per­so­nal data by basic insu­rers. Also in dis­pu­te was the que­sti­on of whe­ther the bonus pro­gram for app users vio­la­ted the pro­hi­bi­ti­on of pre­mi­um refunds under health insuran­ce law and – if so – whe­ther this meant that the asso­cia­ted data pro­ces­sing was also unlaw­ful (wit­hin the mea­ning of Art. 4 (1) of the Ger­man Data Pro­tec­tion Act). FDPA) are (what the FDPIC had asserted).


The app works – in the asses­sed ver­si­on – as fol­lows (E. A):

The Helsa­na sup­ple­men­ta­ry insuran­ces AG ope­ra­tes the app-based bonus pro­gram “Helsa­na+” […]. Par­ti­ci­pants in the pro­gram can collect […] plus points, which they can con­vert into bonu­ses […]. Only poli­cy­hol­ders of an insuran­ce com­pa­ny of Helsa­na are eli­gi­ble for bonu­ses AG (Helsa­na sup­ple­men­ta­ry insuran­ces AG, Helsa­na Insuran­ces AG and Pro­g­res Insuran­ces AG). The app does not trans­mit health and move­ment data […]. Dif­fe­rent bonu­ses are gran­ted for poli­cy­hol­ders of the man­da­to­ry health care insuran­ce and the sup­ple­men­ta­ry insuran­ce. For the deter­mi­na­ti­on of the eli­gi­bi­li­ty as well as the cal­cu­la­ti­on of the amount of the bonu­ses cla­ri­fies the Helsa­na sup­ple­men­ta­ry insuran­ce AG The insu­red cha­rac­te­ri­stics of the par­ti­ci­pants from. For this pur­po­se, it requests from them, as part of the regi­stra­ti­on pro­cess via the app, the Con­sent one, Data from the Helsa­na Group’s com­pul­so­ry health insuran­ce for sup­ple­men­ta­ry insuran­ce to be transferred.

In doing so, the terms of use provided:

For the regi­stra­ti­on and iden­ti­fi­ca­ti­on of the user for the full ver­si­on, the spe­ci­fi­ca­ti­on of the insuran­ce num­ber, the ZIP CODE and date of birth and e‑mail address are required.

Helsa­na is enti­t­led, to view the rele­vant data of the respec­ti­ve insuran­ce com­pa­nies of the Helsa­na Group for the pur­po­se of iden­ti­fy­ing the user.

In Sec­tion B.4, “Con­sent to Match with User’s Insu­red Data,” the regu­la­ti­ons fur­ther provided:

The user express­ly agrees, that Helsa­na, wit­hin the frame­work of the pro­ces­sing of the Helsa­na+ App may access the User’s insu­red data held by the insuran­ce com­pa­nies of the Helsa­na Group.

Even befo­re the BVG ruling, howe­ver, Helsa­na chan­ged the way the app works. The basic insu­rer no lon­ger dis­c­lo­ses any data. Ins­tead, par­ti­ci­pants upload a pho­to of their health insuran­ce card. Con­sent is the­re­fo­re no lon­ger requi­red, which is why the BVGer’s deci­si­on no lon­ger has any effect on the app.

On the lega­li­ty wit­hin the mea­ning of Art. 4 para. 1 FDPA

On this point, the ruling is clear: a vio­la­ti­on of legal pro­vi­si­ons only leads to the unlaw­ful­ness of data pro­ces­sing, if the vio­la­ted norm aims at the pro­tec­tion of per­so­na­li­ty:

5.4.4 In sum­ma­ry, the princip­le of the lega­li­ty of Art. 4 para. 1 FDPA to be under­s­tood in such a way that a data pro­ces­sing for an ille­gal pur­po­se only then unlaw­ful­ly wit­hin the mea­ning of the Data Pro­tec­tion Act is if, in doing so, it vio­la­tes a stan­dard that is at least also, direct­ly or indi­rect­ly, aims to pro­tect the per­so­na­li­ty of a per­son.

In con­trast, the vio­la­ti­on of a norm is irrele­vant in terms of data pro­tec­tion law if this norm does not aim to pro­tect per­so­na­li­ty. This is in its­elf self-evi­dent, becau­se like any other area of law, data pro­tec­tion law has its own pro­tec­ti­ve pur­po­se, even if data pro­tec­tion law has the poten­ti­al to beco­me an undif­fe­ren­tia­ted super-regu­la­ti­on due to its broad fac­tu­al scope – pro­ces­sing of per­so­nal data. But if one were to view every vio­la­ti­on of law as a data pro­tec­tion vio­la­ti­on as soon as per­so­nal data is pro­ces­sed in the pro­cess, then – only slight­ly exa­g­ge­ra­ted – the Clean Air Ordi­nan­ce would also have to be vio­la­ted if the per­pe­tra­tor brea­thes. The­re are cer­tain­ly signs that the regu­la­to­ry claim of data pro­tec­tion law is being overs­tret­ched, if one thinks of pro­vi­si­ons with anti­trust impli­ca­ti­ons such as the right to data por­ta­bi­li­ty, which is also pro­pa­ga­ted in Switz­er­land, or the fact that the ingress of the revi­sed Data Pro­tec­tion Act recent­ly also inclu­des Art. 97 Para. 1 BV is the con­sti­tu­tio­nal basis of con­su­mer pro­tec­tion law. Against this back­ground, the recent deci­si­on by the Ger­man Federal Car­tel Office in the Face­book mat­ter as a justi­fied reac­tion of anti­trust law to attempts of appro­pria­ti­on by data pro­tec­tion law. With the ruling of the BVGer, it is now hope­ful­ly clear that the Data pro­tec­tion law is not a vehi­cle for hel­ping other types of regu­la­to­ry objec­ti­ves to achie­ve a bre­akthrough.. This beco­mes even more important when data pro­tec­tion sanc­tions are strengthened.

For con­sent

The con­si­de­ra­ti­ons of the FAC on the sub­ject of con­sent are signi­fi­cant for prac­ti­ce. Here the FAC gave the FDPIC par­ti­al­ly right: The con­sent of the basic insu­red users of the app to the dis­clo­sure of their data to the ope­ra­tor of the app, the car­ri­er of the sup­ple­men­ta­ry insuran­ce, was invalid.

Why a con­sent requirement?

The FAC appar­ent­ly saw a requi­re­ment for con­sent for two reasons:

  1. The pro­ces­sing of per­so­nal data from the basic insuran­ce (the com­pul­so­ry health care insuran­ce, “OKP”) in the con­text of the app vio­la­tes, in the view of the BVGer, the Ear­mar­king princip­le (E. 4.7), which requi­res justification.
  2. Then, wit­hin the frame­work of the app, an initi­al Dis­clo­sure of data by a basic insuran­ce car­ri­er to Helsa­nabecau­se the basic insuran­ce sta­tus was rele­vant, among other things, for cal­cu­la­ting the amount of the bonu­ses. Helsa­na, as the ope­ra­tor of the app, the­re­fo­re had the OKP insu­rer con­firm that par­ti­ci­pa­ting users had basic insuran­ce. In the opi­ni­on of the FAC, this con­sti­tu­tes a dis­clo­sure of data by the OKP insu­rer. Such a dis­clo­sure of data is not per­mit­ted in the con­text of Art. 84a KVG per­mis­si­ble in cer­tain con­stel­la­ti­ons, inclu­ding with con­sent wit­hin the mea­ning of Art. 84a (5) lit. b KVG.

In its exami­na­ti­on of con­sent, the FAC more or less fol­lows this struc­tu­re, i.e. it first exami­nes the effec­ti­ve­ness of con­sent accord­ing to gene­ral princi­ples and then asks whe­ther con­sent to dis­clo­sure by the OKP insu­rer was given pri­or to Art. 84a para. 5 KVG withstands.

Tying ban not violated

First of all, the FAC held that the Tying ban not vio­la­ted was, i.e., that the lin­king of the app and con­sent did not inva­li­da­te the volun­ta­ry natu­re of the con­sent. The FDPIC had taken the view in its lawsu­it that con­sent was invol­un­ta­ry becau­se access to the app was lin­ked to con­sent. The BVGer now sees this differently:

  • On the one hand, the cou­pling not extra­ne­ous:

    Con­tra­ry to the plaintiff’s sub­mis­si­ons, the con­sent is volun­ta­ry, as the Dis­ad­van­ta­ge threa­tened in the event of non-con­sent – the impos­si­bi­li­ty of par­ti­ci­pa­ting in the Helsa­na+ pro­gram – a direct refe­rence to the data for the pro­ces­sing of which con­sent is obtai­ned and thus the­re is no imper­mis­si­ble coer­ci­on to grant con­sent […]: Without obtai­ning the per­so­nal data, the defen­dant can­not check whe­ther the­re is an insu­red rela­ti­ons­hip with ano­t­her insuran­ce com­pa­ny of the Helsa­na Group, which in turn is a pre­re­qui­si­te for par­ti­ci­pa­ti­on in the Helsa­na+ pro­gram, and enti­t­les to bonus points under the program.

  • On the other hand, it was also due to the fact that the pro­gram par­ti­ci­pa­ti­on had mone­ta­ry advan­ta­ges, no undue coer­ci­on :

    The fact alo­ne that the defen­dant adver­ti­ses par­ti­ci­pa­ti­on in the pro­gram with mone­ta­ry bene­fits and in par­ti­cu­lar with cash bonu­ses (in the amount of a maxi­mum of Fr. 75 per year for per­sons with basic insuran­ce only) also does not con­sti­tu­te imper­mis­si­ble coercion.

This atti­tu­de of the FAC was not necessa­ri­ly self-evi­dent, espe­cial­ly sin­ce the BGVer its­elf – in the KSS deci­si­on (A‑3908/2008 of 4.8.2009) – had taken a rather restric­ti­ve stance. With the pre­sent ruling, howe­ver, it should now be clear that lin­king access to a ser­vice to con­sent is at least harm­less if the link is appro­pria­te, i.e. if the data pro­ces­sing in que­sti­on is inherent in the design of the ser­vice in que­sti­on. It is not enti­re­ly clear, howe­ver, whe­ther and under what cir­cum­stan­ces dis­pro­por­tio­na­te bene­fits ren­der volun­ta­ri­ness inva­lid. Howe­ver, the quo­ted pas­sa­ge sounds at least as if mone­ta­ry bene­fits can­not in princip­le ren­der the volun­ta­ry natu­re of con­sent invalid.

Art. 84a para. 5 KVG violated

With refe­rence to the dis­clo­sure by the OKP insu­rer, the BVG exami­nes the requi­re­ments of Art. 84a para. 5 lit. b KVG. After that, per­so­nal data may be disclosed, 

pro­vi­ded that the per­son con­cer­ned con­sen­ted to in wri­ting in indi­vi­du­al cases or, if it is not pos­si­ble to obtain con­sent, it may be pre­su­med under the cir­cum­stan­ces to be in the inte­rest of the insu­red person.

Against this back­ground, the BVG does not see any effec­ti­ve con­sent to the dis­clo­sure of data: 

  • From Art. 84a para. 5 lit. b KVG and also from Art. 19 para. 1 lit. b FDPA name­ly fol­lows that con­sent only “in indi­vi­du­al cases is effec­ti­ve. This is not the case here, becau­se the data is obtai­ned auto­ma­ti­cal­ly several times a year as part of the app. This is not an indi­vi­du­al case. This is not a self-evi­dent con­clu­si­on, becau­se the mea­ning of “in an indi­vi­du­al case” is by no means clear. This requi­re­ment is also found in Art. 6 (2) lit. b FDPA in the case of dis­clo­sure abroad, and here the prac­ti­ce assu­mes that “in indi­vi­du­al cases” means as much as “for clear­ly deter­mi­ned, but pos­si­b­ly repe­ti­ti­ve” data pro­ces­sing. Howe­ver, the FAC seems to under­stand the indi­vi­du­al case liter­al­ly, i.e. for indi­vi­du­al, non-repe­ti­ti­ve cases. It refers to a refe­rence in the lite­ra­tu­re (Eugster), which actual­ly says so, but does not justi­fy this fur­ther. One would have wis­hed for a more detail­ed dis­cus­sion of this prac­ti­cal­ly important que­sti­on. From the point of view of the pro­tec­tion of the data sub­ject, the restric­ti­ve inter­pre­ta­ti­on of the FAC is in any case not necessa­ry, becau­se the­re is no rea­son to assu­me that con­sent would not be gran­ted repeated­ly for a spe­ci­fi­cal­ly descri­bed case.
  • Moreo­ver, the­re was a lack of Wri­ting, which Art. 84a para. 5 lit. b KVG is requi­red. Here, the FAC refers to Art. 14 OR (hand­writ­ten signa­tu­re), which is based on Art. 7 ZGB is not absurd, but it is also not man­da­to­ry. The­re would cer­tain­ly be room for a dif­fe­ren­tia­ted inter­pre­ta­ti­on of the con­cept of writ­ten form depen­ding on the area of law. Here, too, one would have wis­hed for more in-depth dis­cus­sions, and the last word on this sub­ject has cer­tain­ly not yet been spoken.

Trans­pa­ren­cy requirements

Next, the FAC also sees the Infor­ma­ti­on requi­re­ment vio­la­ted (“infor­med” con­sent), for two reasons:

  • Con­sent, he said, is given in “exten­si­ve terms of use and data pro­tec­tion”, which makes it dif­fi­cult to know what data pro­ces­sing is being con­sen­ted to; and
  • the con­sent do not refer to a spe­ci­fic pur­po­se of the data pro­ces­sing and limit not limi­ted to the few, con­cre­te­ly requi­red data pointsbut was for­mu­la­ted “broad­ly and without restrictions”.

Here, too, the BVGer’s deci­si­on is at least some­what super­fi­cial. The requi­re­ments for infor­med con­sent are deri­ved from the princip­le of good faith and are the­re­fo­re varia­ble depen­ding on the risk. In the case at hand, the con­sent requi­red by the OKP Howe­ver, the data trans­mit­ted was com­ple­te­ly harm­less – it was essen­ti­al­ly a mat­ter of con­fir­ming that a par­ti­cu­lar per­son was inde­ed cove­r­ed by basic insuran­ce with Helsa­na. This is neit­her a data item that is par­ti­cu­lar­ly worthy of pro­tec­tion nor any other sen­si­ti­ve infor­ma­ti­on. Why a restric­tion to cer­tain data points should be necessa­ry here is not clear from the deci­si­on, and it is also not plau­si­ble in sub­stance. Broad­ly for­mu­la­ted cons­ents are sim­ply unavo­ida­ble and must be inter­pre­ted restric­tively, but they are not fun­da­ment­al­ly inva­lid. More important is the limi­ta­ti­on of the con­sent to a spe­ci­fic pur­po­se. In the pre­sent case, howe­ver, it was pro­bab­ly obvious that the con­sent was given for the pur­po­se of pro­ces­sing the app. Not expli­ci­tly sta­ting this again does not make con­sent inva­lid, at least not for tri­vi­al data like in this case.

Princip­le of lega­li­ty vs. consent

Par­ti­cu­lar­ly note­wor­thy is the fol­lo­wing con­si­de­ra­ti­on of the FAC, perhaps even the most important point in the judgment:

4.8.2 Sin­ce Helsa­na Insuran­ce is AG and the Pro­g­res insuran­ces AG As both the insuran­ce com­pa­nies and the defen­dant are legal enti­ties, the dis­clo­sure of per­so­nal data of one of the­se insuran­ce com­pa­nies to the defen­dant is deemed to be dis­clo­sure to a third par­ty. The dis­clo­sure of per­so­nal data from the com­pul­so­ry health care insuran­ce takes place in the pre­sent case Not in the per­for­mance of a duty assi­gned by the Health Insuran­ce Act.. […] An excep­ti­on to the obli­ga­ti­on to main­tain secrecy under social secu­ri­ty law is the­re­fo­re only pos­si­ble in the pre­sent case under the fol­lo­wing con­di­ti­ons cumu­la­ti­ve requi­re­ments of Art. 19 Para. 1 FDPA and Art. 84a para. 5 let. b KVG law­ful, that is, if the per­son con­cer­ned has con­sen­ted in wri­ting in the indi­vi­du­al case.

From this it can only be con­clu­ded that com­pli­an­ce with Art. 84a KVG not only a vio­la­ti­on of the secrecy obli­ga­ti­on of Art. 33 ATSG but also the requi­re­ment of a legal basis for the dis­clo­sure of data. This should also sett­le the que­sti­on of whe­ther con­sent wit­hin the mea­ning of Art. 17(2)(c) and Art. 19(2)(b) is requi­red. FDPA only from the requi­re­ment of for­mal legal basis dis­pen­sed with or, more gene­ral­ly, from the requi­re­ment of a legal basis: Effec­ti­ve con­sent is sur­ro­ga­te for a legal basis. This is the only way to exp­lain why the FAC would allow data to be dis­c­lo­sed on the basis of effec­ti­ve con­sent, even though the OKP pro­vi­der would have no basis for this in the KVG (which is not so clear in this case – one could have based the dis­clo­sure on Art. 19 para. 1 of the Ger­man Civil Code). KVG can sup­port: “Insu­rers pro­mo­te the pre­ven­ti­on of diseases”).

Moreo­ver, the first sen­tence in the cited E. 4.8.2 almost seems to sug­gest that, in the view of the FAC, a dis­clo­sure of data wit­hin the same legal enti­ties does not necessa­ri­ly com­ply with the restric­tions of Art. 84a KVG is sub­ject to. This would be sur­pri­sing, becau­se until now it has gene­ral­ly been assu­med that the con­fi­dentia­li­ty requi­re­ment of Art. 33 ATSG also app­lies wit­hin the same orga­niz­a­ti­on, which is why a data dis­clo­sure from the OKP into the sup­ple­men­ta­ry insuran­ce poten­ti­al­ly Art. 33 ATSG vio­la­tes and the­re­fo­re meets the requi­re­ments of Art. 84a KVG is sub­ject to. This results in a sepa­ra­ti­on requi­re­ment that is dif­fi­cult to imple­ment. Howe­ver, it can hard­ly be infer­red from the pre­sent ruling that the Federal Admi­ni­stra­ti­ve Court wants to abolish this.