The Federal Administrative Court has ruled in the matter of FDPIC vs. Helsana regarding the Helsana+ app handed down the long-awaited verdict (Judgment A‑3548/2018 of 19 March 2019). The Helsana+ app is an app for the Helsana+ bonus program, where participants can collect points and convert them into bonuses. Among other things, questions arose in connection with consent, with the disclosure of personal data by basic insurers. Also in dispute was the question of whether the bonus program for app users violated the prohibition of premium refunds under health insurance law and – if so – whether this meant that the associated data processing was also unlawful (within the meaning of Art. 4 (1) of the German Data Protection Act). FDPA) are (what the FDPIC had asserted).
Background
The app works – in the assessed version – as follows (E. A):
The Helsana supplementary insurances AG operates the app-based bonus program “Helsana+” […]. Participants in the program can collect […] plus points, which they can convert into bonuses […]. Only policyholders of an insurance company of Helsana are eligible for bonuses AG (Helsana supplementary insurances AG, Helsana Insurances AG and Progres Insurances AG). The app does not transmit health and movement data […]. Different bonuses are granted for policyholders of the mandatory health care insurance and the supplementary insurance. For the determination of the eligibility as well as the calculation of the amount of the bonuses clarifies the Helsana supplementary insurance AG The insured characteristics of the participants from. For this purpose, it requests from them, as part of the registration process via the app, the Consent one, Data from the Helsana Group’s compulsory health insurance for supplementary insurance to be transferred.
In doing so, the terms of use provided:
For the registration and identification of the user for the full version, the specification of the insurance number, the ZIP CODE and date of birth and e‑mail address are required.
Helsana is entitled, to view the relevant data of the respective insurance companies of the Helsana Group for the purpose of identifying the user.
In Section B.4, “Consent to Match with User’s Insured Data,” the regulations further provided:
The user expressly agrees, that Helsana, within the framework of the processing of the Helsana+ App may access the User’s insured data held by the insurance companies of the Helsana Group.
Even before the BVG ruling, however, Helsana changed the way the app works. The basic insurer no longer discloses any data. Instead, participants upload a photo of their health insurance card. Consent is therefore no longer required, which is why the BVGer’s decision no longer has any effect on the app.
On the legality within the meaning of Art. 4 para. 1 FDPA
On this point, the ruling is clear: a violation of legal provisions only leads to the unlawfulness of data processing, if the violated norm aims at the protection of personality:
5.4.4 In summary, the principle of the legality of Art. 4 para. 1 FDPA to be understood in such a way that a data processing for an illegal purpose only then unlawfully within the meaning of the Data Protection Act is if, in doing so, it violates a standard that is at least also, directly or indirectly, aims to protect the personality of a person.
In contrast, the violation of a norm is irrelevant in terms of data protection law if this norm does not aim to protect personality. This is in itself self-evident, because like any other area of law, data protection law has its own protective purpose, even if data protection law has the potential to become an undifferentiated super-regulation due to its broad factual scope – processing of personal data. But if one were to view every violation of law as a data protection violation as soon as personal data is processed in the process, then – only slightly exaggerated – the Clean Air Ordinance would also have to be violated if the perpetrator breathes. There are certainly signs that the regulatory claim of data protection law is being overstretched, if one thinks of provisions with antitrust implications such as the right to data portability, which is also propagated in Switzerland, or the fact that the ingress of the revised Data Protection Act recently also includes Art. 97 Para. 1 BV is the constitutional basis of consumer protection law. Against this background, the recent decision by the German Federal Cartel Office in the Facebook matter as a justified reaction of antitrust law to attempts of appropriation by data protection law. With the ruling of the BVGer, it is now hopefully clear that the Data protection law is not a vehicle for helping other types of regulatory objectives to achieve a breakthrough.. This becomes even more important when data protection sanctions are strengthened.
For consent
The considerations of the FAC on the subject of consent are significant for practice. Here the FAC gave the FDPIC partially right: The consent of the basic insured users of the app to the disclosure of their data to the operator of the app, the carrier of the supplementary insurance, was invalid.
Why a consent requirement?
The FAC apparently saw a requirement for consent for two reasons:
- The processing of personal data from the basic insurance (the compulsory health care insurance, “OKP”) in the context of the app violates, in the view of the BVGer, the Earmarking principle (E. 4.7), which requires justification.
- Then, within the framework of the app, an initial Disclosure of data by a basic insurance carrier to Helsanabecause the basic insurance status was relevant, among other things, for calculating the amount of the bonuses. Helsana, as the operator of the app, therefore had the OKP insurer confirm that participating users had basic insurance. In the opinion of the FAC, this constitutes a disclosure of data by the OKP insurer. Such a disclosure of data is not permitted in the context of Art. 84a KVG permissible in certain constellations, including with consent within the meaning of Art. 84a (5) lit. b KVG.
In its examination of consent, the FAC more or less follows this structure, i.e. it first examines the effectiveness of consent according to general principles and then asks whether consent to disclosure by the OKP insurer was given prior to Art. 84a para. 5 KVG withstands.
Tying ban not violated
First of all, the FAC held that the Tying ban not violated was, i.e., that the linking of the app and consent did not invalidate the voluntary nature of the consent. The FDPIC had taken the view in its lawsuit that consent was involuntary because access to the app was linked to consent. The BVGer now sees this differently:
- On the one hand, the coupling not extraneous:
Contrary to the plaintiff’s submissions, the consent is voluntary, as the Disadvantage threatened in the event of non-consent – the impossibility of participating in the Helsana+ program – a direct reference to the data for the processing of which consent is obtained and thus there is no impermissible coercion to grant consent […]: Without obtaining the personal data, the defendant cannot check whether there is an insured relationship with another insurance company of the Helsana Group, which in turn is a prerequisite for participation in the Helsana+ program, and entitles to bonus points under the program.
- On the other hand, it was also due to the fact that the program participation had monetary advantages, no undue coercion :
The fact alone that the defendant advertises participation in the program with monetary benefits and in particular with cash bonuses (in the amount of a maximum of Fr. 75 per year for persons with basic insurance only) also does not constitute impermissible coercion.
This attitude of the FAC was not necessarily self-evident, especially since the BGVer itself – in the KSS decision (A‑3908/2008 of 4.8.2009) – had taken a rather restrictive stance. With the present ruling, however, it should now be clear that linking access to a service to consent is at least harmless if the link is appropriate, i.e. if the data processing in question is inherent in the design of the service in question. It is not entirely clear, however, whether and under what circumstances disproportionate benefits render voluntariness invalid. However, the quoted passage sounds at least as if monetary benefits cannot in principle render the voluntary nature of consent invalid.
Art. 84a para. 5 KVG violated
With reference to the disclosure by the OKP insurer, the BVG examines the requirements of Art. 84a para. 5 lit. b KVG. After that, personal data may be disclosed,
provided that the person concerned consented to in writing in individual cases or, if it is not possible to obtain consent, it may be presumed under the circumstances to be in the interest of the insured person.
Against this background, the BVG does not see any effective consent to the disclosure of data:
- From Art. 84a para. 5 lit. b KVG and also from Art. 19 para. 1 lit. b FDPA namely follows that consent only “in individual cases is effective. This is not the case here, because the data is obtained automatically several times a year as part of the app. This is not an individual case. This is not a self-evident conclusion, because the meaning of “in an individual case” is by no means clear. This requirement is also found in Art. 6 (2) lit. b FDPA in the case of disclosure abroad, and here the practice assumes that “in individual cases” means as much as “for clearly determined, but possibly repetitive” data processing. However, the FAC seems to understand the individual case literally, i.e. for individual, non-repetitive cases. It refers to a reference in the literature (Eugster), which actually says so, but does not justify this further. One would have wished for a more detailed discussion of this practically important question. From the point of view of the protection of the data subject, the restrictive interpretation of the FAC is in any case not necessary, because there is no reason to assume that consent would not be granted repeatedly for a specifically described case.
- Moreover, there was a lack of Writing, which Art. 84a para. 5 lit. b KVG is required. Here, the FAC refers to Art. 14 OR (handwritten signature), which is based on Art. 7 ZGB is not absurd, but it is also not mandatory. There would certainly be room for a differentiated interpretation of the concept of written form depending on the area of law. Here, too, one would have wished for more in-depth discussions, and the last word on this subject has certainly not yet been spoken.
Transparency requirements
Next, the FAC also sees the Information requirement violated (“informed” consent), for two reasons:
- Consent, he said, is given in “extensive terms of use and data protection”, which makes it difficult to know what data processing is being consented to; and
- the consent do not refer to a specific purpose of the data processing and limit not limited to the few, concretely required data pointsbut was formulated “broadly and without restrictions”.
Here, too, the BVGer’s decision is at least somewhat superficial. The requirements for informed consent are derived from the principle of good faith and are therefore variable depending on the risk. In the case at hand, the consent required by the OKP However, the data transmitted was completely harmless – it was essentially a matter of confirming that a particular person was indeed covered by basic insurance with Helsana. This is neither a data item that is particularly worthy of protection nor any other sensitive information. Why a restriction to certain data points should be necessary here is not clear from the decision, and it is also not plausible in substance. Broadly formulated consents are simply unavoidable and must be interpreted restrictively, but they are not fundamentally invalid. More important is the limitation of the consent to a specific purpose. In the present case, however, it was probably obvious that the consent was given for the purpose of processing the app. Not explicitly stating this again does not make consent invalid, at least not for trivial data like in this case.
Principle of legality vs. consent
Particularly noteworthy is the following consideration of the FAC, perhaps even the most important point in the judgment:
4.8.2 Since Helsana Insurance is AG and the Progres insurances AG As both the insurance companies and the defendant are legal entities, the disclosure of personal data of one of these insurance companies to the defendant is deemed to be disclosure to a third party. The disclosure of personal data from the compulsory health care insurance takes place in the present case Not in the performance of a duty assigned by the Health Insurance Act.. […] An exception to the obligation to maintain secrecy under social security law is therefore only possible in the present case under the following conditions cumulative requirements of Art. 19 Para. 1 FDPA and Art. 84a para. 5 let. b KVG lawful, that is, if the person concerned has consented in writing in the individual case.
From this it can only be concluded that compliance with Art. 84a KVG not only a violation of the secrecy obligation of Art. 33 ATSG but also the requirement of a legal basis for the disclosure of data. This should also settle the question of whether consent within the meaning of Art. 17(2)(c) and Art. 19(2)(b) is required. FDPA only from the requirement of formal legal basis dispensed with or, more generally, from the requirement of a legal basis: Effective consent is surrogate for a legal basis. This is the only way to explain why the FAC would allow data to be disclosed on the basis of effective consent, even though the OKP provider would have no basis for this in the KVG (which is not so clear in this case – one could have based the disclosure on Art. 19 para. 1 of the German Civil Code). KVG can support: “Insurers promote the prevention of diseases”).
Moreover, the first sentence in the cited E. 4.8.2 almost seems to suggest that, in the view of the FAC, a disclosure of data within the same legal entities does not necessarily comply with the restrictions of Art. 84a KVG is subject to. This would be surprising, because until now it has generally been assumed that the confidentiality requirement of Art. 33 ATSG also applies within the same organization, which is why a data disclosure from the OKP into the supplementary insurance potentially Art. 33 ATSG violates and therefore meets the requirements of Art. 84a KVG is subject to. This results in a separation requirement that is difficult to implement. However, it can hardly be inferred from the present ruling that the Federal Administrative Court wants to abolish this.