On March 26, 2025, the Geneva Cour de Justice issued a ruling on the Criminal liability for a breach of the minimum data security requirements (judgment ACPR/239/2025), via the François Charlet has already reported at Swissprivacy.
The background to this was a training course at a business school in which clinic employee E allegedly shared medical information about another classmate with her classmate A. A was under psychiatric care at the same clinic. A was receiving psychiatric care at the same clinic and subsequently wanted to know whether her data had also been accessed. In fact, a check revealed a Access by E to their data too. There was subsequently a further discussion and a police investigation into the reasons for and extent of the access. Apparently, E was employed in the clinic’s accounting department and was therefore able to access the patient files, including medical data, because the clinic software did not allow only restricted access.
The proceedings were not even initiated by the public prosecutor’s office. The Cour de Justice rejects A’s appeal against the refusal to take action on the basis of brief reasons:
A Violation of the right to information pursuant to Art. 60 para. 1 FADP could not be established be made. Although A had not been told exactly which of her data had been accessed, this was harmless:
[It is] irrelevant that the information provided does not indicate whether […] medical elements were actually accessed. Within the meaning of Art. 60 para. 1 FADP only the complete information on the scope of the administrative staff’s right of access is decisive. In addition, the violation of Art. 60 FADP is exclusively intentional.
Also a Violation of the minimum data security requirements – because of the comprehensive rather than limited access to the patient file was not created:
- Due to the ambiguity of Art. 61 para. 1 lit. c FADP only obvious injuries The scope of the regulation should include, for example, the complete absence of safety measures, but not merely inadequate measures or incomplete regulation, as risk considerations and questions of appropriateness are decisive here.
- In this case, there was a fundamental reason for the disputed access, which is why there is no clear-cut case. In addition, as an auxiliary person, E was also subject to patient confidentiality
The result of the ruling is hardly surprising:
- There is unlikely to be any appetite to prosecute data protection violations, even in a case such as this, which involved at least highly questionable access to health data. In particular, justified access legitimizesright not all effective access. In this respect, one can sympathize with the complainant that she did not want to let the case rest on its laurels by refusing to enter it.
- It is true, however, that the Cour de Justice has joined the critical literature and only absolutely obvious cases of security breaches as potentially criminally relevant categorized. In the broad gray area of “appropriate” data security, criminal liability would in fact hardly be compatible with the principle of certainty (see here).
A violation of Art. 321 StGB or Art. 62 DSG. Neither could be ruled out a priori, at least if one assumes that a disclosure within the organization of a legal entity can constitute a criminal offence (see also Reto Ferrari-Visca, in his dissertation, para. 958: no bank-internal banking secrecy; at least questionable in view of the personal ownership of the secret and the AXA pension fund decision of the FAC).