The FDPIC and privatim have jointly developed the Guide to elections and voting updated. The previous version was dated June 1, 2019.
The guide is intended to be an aid, but in part goes beyond the current as well as future law. References to the legal bases have been deliberately omitted in order to promote general comprehensibility, and the main aim is to “sensitize” (here one competes with the Dozens of concernsfor which the federal government also “raises awareness”). Nevertheless, the guide is not limited to principles, but contains detailed instructions for action. It is unclear where the guide is to be understood as a recommendation and where as an interpretation of binding rules; however, it is mostly formulated as an instruction. This is partly due to the fact that it does not distinguish between the regulations of the DPA and those of the cantons. Overall, however, it is hardly generally comprehensible and not always legally convincing. A few comments on this:
Shared responsibility:
- If a party has a Third party tracking pixel and thereby generates information about the visitors to the website, which is subsequently used for targeted addressing on social media, then the party as the operator of the website and the social media provider are jointly responsible. However, this view is not substantiated.
- This is probably based on the case law of the ECJ. In the Fanpages decision the ECJ saw a joint responsibility due to the influencing of the subsequent processing by Facebook for statistical purposes; after all, such an influencing was still required here. In the Fashion ID decision it was already sufficient to cause the data collection by Facebook in the common economic interest, even without the further influence. The development of case law is thus moving towards an expansion of joint responsibility, whereby a conscious cooperation in knowledge of the essential circumstances of the joint processing is probably necessary, but also sufficient. However, this also becomes clear with the corresponding guidelines of the EDSA not. Therefore, it remains open under which conditions and with reference to what the FDPIC and privatim see a joint responsibility, which is why their reference hardly helps the practice.
- Either way, shared responsibility requires that personal data is processed at all, which need not be the case with tracking pixels (because unique IDs are not always personal data under the FADP – even the nDSG).
- Jointly responsible third parties shall be required to “demonstrate that they are complying with all data protection requirements.” What is meant by this?
Order processing:
- The Guidance contains references to order processing and provides in Appendix at C that “data brokers and data analytics companies” when acting as order processors,
before concluding the contract, they shall ensure that their client is willing and technically and organizationally capable of processing the data received in accordance with the set terms and conditions and the contract;
Why would a processor have these obligations? While a processor may be jointly liable if he or she knowingly contributes to a data breach by the controller, he or she has no obligation to conduct a corresponding audit.
Personal data requiring special protection:
- An exceptionally broad understanding of personal data requiring special protection is to apply:
Data that allow conclusions to be drawn about political or ideological views are considered to be particularly worthy of protection
The fact that data “allow” conclusions to be drawn can hardly be sufficient, especially since the question of personal reference itself depends not only on the abstract possibilities, but also on the realistically available means and also the motivation of the body that has access to personal data. When it comes to the qualification as particularly worthy of protection, it can hardly be otherwise. Here, too, one seems to follow the Case law of the ECJ which is to be rejected in any case according to the FADP (the newer cantonal laws work with a general clause, which could be interpreted accordingly according to circumstances).
- The FDPIC and privatim continue:
Although there is no comprehensive case law on this yet, it can be assumed that digital data processing in connection with the political process is generally subject to the level of protection applicable to particularly sensitive personal data, if only because of its purpose of influencing the ideological views of many people.
This statement is not correct either. Not all data “in connection with the political process” is particularly worthy of protection a priori. The decisive factor is also not the intention to influence views, but the significance of a data item in the context of its processing.
Consent:
- Consent would have to be “self-determined”. Presumably, this refers to the voluntary nature of consent. This presupposes that the persons concerned can give their consent in a “differentiated” manner:
Consent is self-determined if the data subjects can give differentiated consent with regard to the activation or deactivation of individual aspects and functionalities of the digital applications (e.g., by setting appropriate checkmarks) and thus have a real choice not only whether to make their data available, but also to what extent.
And further down:
Can visitors individually (“granularly”) choose whether or which of the web tracking tools used they want to allow?
This reads as if, firstly, consent is required for tracking, which is not the case under Swiss law, and as if you have to consent to tracking measures individually, which is not even required by the German or French authorities under the DSGVO and local regulations for cookies, etc.
- In addition
data subjects must be able to revoke their consent and request deletion of their data at any time. Meeting these demands requires investment in data protection-friendly technologies on the part of the players,
This is not the case. Data subjects generally have the right to revoke consent, but there is no requirement in Swiss law to make revocation as easy as consent, nor is there a general facilitation requirement for data subject rights as under the GDPR. And the Privacy by Design principle only requires proactive compliance with data protection; it does not provide for additional obligations.
- The consent must also informs be. According to the guidance, this should require, among other things, that those affected “also be informed about their rights” such as “that of revocation at any time”. This is also taken one-to-one from the GDPR. Consent does not become invalid under Swiss law if information about revocation is not provided, even under the cantonal laws that may require such information when it is provided (e.g., § 12 of the IDG ZH).
- In addition, the information would only be sufficient if it
make the purposes and modes of operation of the digital processing methods […] accessible in several levels of explanation appropriate to the addressees and, in particular, provide information about the duration of the processing and the possible forwarding of the data. The cascade of information begins with a clearly visible brief information on the registration page, which explains the most important points of data processing. Each of these points contains further links that take the reader to the relevant passages in the relevant processing regulations and data protection provisions.
It is obvious that this is not legally binding.
- Explicit consent:
“For express consent, an active act of consent by the data subject is necessary. […] Declarations by which persons merely accept terms of use in a general manner, on the other hand, are not express consents.
This is not generally correct. If the terms of use expressly provide for the processing of particularly sensitive data and the user actively agrees to the terms, this consent is express. Whether it is also voluntary is another question.
Information and transparency:
- On a website, transparency would require at least the following information, which can certainly only apply under the cantonal data protection laws and would also go a long way here, for example with regard to information about “artificial intelligence”:
- the identity of the responsible holders of the
Collection - the categories of the processed data
- the procurement of data with reference to third-party sources
- the current purpose and, if necessary, the justification of the processing
- the processing methods, including the purpose and operation of the analysis methods used, including artificial intelligence
- the categories of possible data recipients
- The roles, duties, and responsibilities of data providers, data analytics companies, or data platforms
- the applicable terms of use of third parties and their
References.
- the identity of the responsible holders of the
- During the initial contact after an indirect data collection, the data subjects should be
to indicate who is responsible for the communication received, where further information on the related data processing can be obtained and how the data subject’s rights can be asserted.
If this means that this initial information can not only contain a reference to a data protection statement, but also information on the rights of the data subject, this is an attempt to come closer to the corresponding statements of the EDSA on minimum first level information in the case of graduated information (so-called “basic information”). However, there is no basis for this interpretation of the information obligation; a reference to the privacy statement is presumably sufficient.
-
Therefore, all data subjects must be able to exercise their rights to information, correction and deletion in an appropriate manner. This starts with informing them about their rights and how and where they can assert them.
In any case, the nDSG does not stipulate that data subjects must be actively informed of their rights. However, the cantonal data protection laws may contain such information obligations.
Role of individuals:
- Before a person discloses information about third parties to parties, interest groups, data traders, data analytics companies or data platforms, they must obtain “their express consent in advance” to do so and make sure that “software accesses this data that comes from reliable sources.” The last sentence is somewhat omnibus, and the person in question is not required to obtain consent in principle before sharing either, but he or she must inform the data subjects about the sharing. Accordingly, the recipient may also assume that this information has been provided.