The FDPIC has made its 29th activity report for the reporting period from April 1, 2021 to March 31, 2022. The Media release for publication is entitled “Disrespect for privacy”. As always, the report is divided into thematic areas of data protection and the principle of public access, and the authority of the FDPIC itself.
Some points give rise to comments:
- In the area of data protection, the focus is on the principle that “in Western democracies, the right of private parties is untouched” should remain, “to process their own data and that of their customers in a privately autonomous manner and to seal it off at will from third parties and thus also from the state”. With this, the FDPIC refers to the Basic idea that data subjects determine their own data, the right to informational self-determination (if such a right exists): “In the free world, everyone should be granted the right to move anonymously in the analog and digital world without being incriminated by their own statements.” This shows what the FDPIC pays particular attention to: the cited “disregard for privacy”.
- The FDPIC continues to suffer from Lack of resources. In the dispatch on the e‑DSG, the Federal Council held out the prospect of a further nine to ten posts. Of these, three posts were awarded within the framework of Schengen. The FDPIC thus currently has a budget of 27 FTEs. Another six posts have been granted with a view to the revDSG. Nevertheless, the FDPIC lacks “still lacks the means to systematically conduct spot checks and technical security controls, which would be particularly useful for sensitive health data repositories”. Also for Access request is “assume that without additional resources, the negative trend will continue to worsen and the rapid processing of procedures required by law will fall further behind.”
- The FDPIC should be given more resources. It was a mistake on the part of parts of the economy to believe that the economy would be served by a weakened authority. The conspicuous reluctance of the FDPIC to adopt clear positions in the area of data protection. leads to legal uncertainty and thus to less rather than more room for maneuver for the economy. However, this reluctance can be explained not only by a lack of resources, but also by the fact that the FDPIC does not want to take the place of the legislator (“In turn, the FDPIC, as a supervisory authority, will have a wide margin of discretion in the application of the provisions of the law with a view to establishing uniform and legally equal practice without further specification of the ordinance, the exhaustion of which could expose it to the accusation of acting as a regulator.”). In addition, the FDPIC has to walk the sometimes fine line between following a strictly interpreted GDPR on the one hand and an independent Swiss solution on the other hand, which may be viewed critically by the EU, and restraint need not be a mistake (cf. the Comments on the opinion of the FDPIC in the case of SUVA). Nevertheless, more proactive action would be desirable – the FDPIC has the task of providing advice, and according to Art. 58 (1) (g) revDSG, the FDPIC develops “working instruments as recommendations of good practice for the attention of data controllers, processors and data subjects”. It is the Will of the legislatorthat the FDPIC does not rewrite the law, but provides assistance in its interpretation and application.
- The FDPIC will issue two Reporting portals one for data breach notifications and one for data protection advisors. It would be interesting to know which processes follow such notifications internally.
- It is interesting to note that the FDPIC had „no competence to interpret the Swiss Penal Code or any other relevant laws„ (in connection with a Disclosure of data to the SECwhich the FDPIC assessed in terms of data protection law, but not also from the point of view of bank-client confidentiality). The 1988 Message stated that the data protection commissioner had “to monitor compliance not only with this Act, but also with all other federal data protection enactments. This means already existing and future special data protection law, but also international treaties”.. In other words, the area of competence of the FDPIC is substantive and not formal data protection law. In an extensive interpretation, this would also allow for consideration of criminal law, but with the risk that the FDPIC’s area of competence would get out of hand. In this respect, its restraint here makes sense (and is in line with the Helsana ruling of the BVGeraccording to which the regulatory scope of data protection law extends to standards outside of core data protection only if and to the extent that these standards “at least also, directly or indirectly, have as their purpose the protection of the personality of a person”. A clear demarcation is necessary, and the FDPIC’s statement must be understood against this background. It will be interesting to see whether the FDPIC will read Art. 62 revDSG as a data protection or genuine secrecy law norm.
- The FDPIC reports several Ongoing clarification of the facts. The impression is that these proceedings take longer and that the subject matter of the fact-finding sometimes changes considerably during their duration. Such moving targets would in itself only be manageable by speeding up procedures, but once again the resource problem arises. This is not an advantage for the companies concerned. It is true that any deficiencies in processing can be remedied during a clarification, but there is the problem of legal uncertainty. It would make sense to have a stronger dialogue between the FDPIC and the persons responsible during the clarification of the facts, in particular also with reference to legal considerations of the FDPIC, of which the company only learns after the possibly lengthy determination of the facts.