The FDPIC today published the final report in the 2017 opened clarification of the facts published in the matter of Ricardo and TX Group:
The subject of the investigation was the transmission of data by Ricardo to TX, the use of this data for personalized marketing and the data protection declarations in this context.
The final report contains eleven recommendations, which are primarily addressed to Ricardo; recommendation B/2 concerns TX. TX and Ricardo consider these recommendations to be irrelevant because they relate to outdated facts and old law and are unfounded in substance. They have therefore neither accepted nor rejected the recommendations. The final report reflects the position of Ricardo and TX as follows:
252 Both Ricardo AG and TX Group AG essentially claim that the FDPIC’s recommendations are based on a facts that no longer exist and a law that no longer applies would refer to. The FDPIC’s recommendations are therefore irrelevant and the clarification of the facts should therefore be written off. Ricardo AG and TX Group AG declare that the recommendations of the FDPIC neither accept nor reject. From a material point of view, the content of the recommendations unstable. The parties reject the finding of violations of the FADP and dispute the legal conclusions of the factual investigation: The data transmitted to TX Group AG is not personal data, which is why the FADP is not applicable to the data processing under investigation. Furthermore, TX Group AG does not process personality profiles. The general data protection principles, in particular the recognizability of the data processing, are complied with, so that there is no violation of personality rights. Although no justification would be required for the data processing in question, the Ricardo users’ consent would be obtained and there would be an overriding private interest.
Ricardo and TX submitted comments on the final report to the FDPIC and requested that these comments be published if the final report was published. The FDPIC did not comply with this request. However, the comments themselves are available here with the kind permission of Ricardo and TX:
- Opinion on the final report, substantive part – Ricardo
- Opinion on the final report, substantive part – TX
DisclaimerTX was represented in the investigation by Walder Wyss (including the author of this article), Ricardo and SMG by Vischer (David Rosenthal and his team).
Background
Ricardo is now part of the SMG Swiss Marketplace Group (SMG), in which the TX Group involved and operates one of the most successful Swiss online marketplaces. As with all online offerings, certain data is collected from visitors, such as the IP addresses of the devices used and other usage data. Further data is collected during registration and subsequent use of the platform. Ricardo may disclose this data to TX in pseudonymized form. Based on a non-personal identifier, the data can then be linked to other data and further processed in aggregated form. Affinities derived from this can be used for target group-specific online advertising. As can be seen from the findings, TX only uses aggregated data without a personal identifier and only segments comprising at least 50 users. Ricardo and TX have classified re-identification as de facto impossible.
The relevant data protection declarations were amended in the course of the clarification of the facts. This is a circumstance that the FDPIC cites as the reason for the extraordinarily long duration of the proceedings. However, it is obvious that such adjustments were not the sole reason for this duration. On the contrary, excessively long procedures make changes unavoidable. The FDPIC has already complained about this several times, and rightly so. However, this problem is not solved by the companies concerned freezing their business activities at the level at which the proceedings were opened, but by streamlining the procedures.
The FDPIC’s recommendations are extraordinarily strict and are largely superficial or not supported by the facts of the case or contradict established data protection law. However, this is not surprising, especially after the Clarification of the facts in the case of Digitec Galaxus and several demarches by the FDPIC since the new DPA came into force. The FDPIC’s handling of data protection law, to which he is bound, can only be described as creative, even apart from any polemics. However, the FDPIC’s task is to supervise the application of data protection law (Art. 4 para. 1 FADP) and not to develop it further.
Transitional law
The clarification of the facts was initiated in 2017 under the old law. As with Digitec Galaxus, it therefore had to be concluded in accordance with the old DPA under transitional law, as a result of the duration of the proceedings beyond August 31, 2023. As a result, all of the FDPIC’s recommendations are based on the old law, which no longer applies in general and therefore also no longer applies to TX and Ricardo. Whether the implementation of the recommendations would be necessary under the current DPA could not be the subject of the clarification of the facts, and the transferability of the FDPIC’s legal assessment to the new law cannot be assumed without a corresponding examination.
Accordingly, the FDPIC’s recommendations are not binding, not even within the scope of Art. 29 aDSG. It is therefore at least questionable whether the FDPIC will still be allowed to issue recommendations after September 1, 2023 in the context of clarifications of the facts under the old law – these are basically legal-historical considerations.
They cannot be enforced before the FAC in this or any other way, because an action by the FDPIC before the FAC under the old DPA would start a new procedure for which the transitional provisions of the new DPA do not apply. The FDPIC would have to conduct a new investigation, if at all, which would re-examine the facts of the case under the direct application of the FADP and conduct a legal review under the new FADP.
Processing of personal data
In order to be able to make recommendations at all, the FDPIC must assume that personal data is being processed. According to the FDPIC, a personal reference must be affirmed because a “reference between the aggregated data and the individual user” remains if an identifier is used. The concept of personal data must be interpreted “extensively”: This is wrong; it must be interpreted, but according to the usual methods of interpretation and not somehow “extensively”.
The FDPIC then correctly refers (in substance) to the Logistep case law, according to which not every theoretical possibility of identification is sufficient. It follows from this, among other things, that pseudonymized data is not personal data for the body that has no possibility of identification; pseudonymization is anonymization for these bodies.
In principle, one could stop the examination here. However, the FDPIC comes to the conclusion in a very brief consideration that the data transmitted by Ricardo is personal, even for TX. Why? Because the personal reference does not require a conclusion about the “civil identity”, but a pseudonym is sufficient. Although TX has no interest in identification, this is not the only criterion; it “may” be sufficient if identification is possible.
The FDPIC firstly ignores the lack of an interest in identification and secondly does not examine the identification effort. He therefore omits the checks that he himself describes as necessary, as well as a survey of the facts – namely the identification possibilities – which would have made it possible to classify the data as personal in the first place. The FDPIC’s statements therefore boil down to one of two variants: either he effectively allows singularization to suffice as identification – at least in the online area, but without stating this and contrary to the prevailing doctrine and his own statements – or he disregards clear data protection law.
The parties have also argued that TX only processes a derivative of the transmitted data in aggregated form and only uses segments comprising at least 50, i.e. sufficient K anonymity even if the identifiers were to be treated as personal data. The FDPIC does not say why he nevertheless assumes personal reference.
Recommendation A/1: Data and purposes
Ricardo AG has adapted the Ricardo platform in such a way that
1. it is clearly recognizable for Ricardo users for which purposes which personal data is processed;
The FDPIC requires it to be made clear which personal data is processed for which purposes. Ricardo and TX have already fulfilled this point by adapting their data protection declarations in line with general practice, prior to the corresponding recommendation.
It is not clear where the FDPIC derives this recommendation from; probably from the principle of transparency and the duty to provide information. However, there is no evidence in the materials, case law or literature that the FADP fundamentally requires an allocation of data and purposes, and this would hardly be justifiable as a general requirement in the current FADP either. Here too, however, the FDPIC’s statements correspond to those in the Digitec Galaxus final report.
In practice, however, a certain combination of data and purposes has become widespread. However, the maintenance effort for the controller, the reading effort for the data subjects and the information needs of the data subjects must be set in an appropriate relationship – the scope of the information obligation is of course subject to the general principle of proportionality.
The FDPIC also suggests that without such a link, data subjects are prevented from objecting to data processing. However, more general information allows for a greater number of processing operations. A generic list of data and purposes is more likely to lead to objections than a granular one, and they are more comprehensive – which is detrimental to the controller and not the data subject. In addition, the information obligation only requires generic information. It is a precursor to the right to information, which specifies the information on request of the data subject with regard to the processing that concerns him/her.
This hierarchy explains why there is both a duty to inform and a duty to provide information. This is why the duty to provide information also states that the information required to exercise the rights must be provided: This reference refers in particular to the right to information; this should be facilitated. This expresses the self-responsibility of the data subject, and thus exempts from the duty to provide information that can be obtained via the right of access. The FDPIC disregards this hierarchy.
Recommendation A/2: Personality profiles
Ricardo AG has adapted the Ricardo platform in such a way that
2. it is clearly recognizable for Ricardo users whether and, if so, which data processing leads to personality profiles;
The FDPIC recognizes in the processing of Ricardo or TX a formation of personality profiles, because the linking of data by TX results in at least a partial picture of the personality. However, no abstract standard applies to personality profiles. This must be formulated in the present tense because the personality profile continues to exist as a product of the profiling process with a high risk. However, profiling is by no means a prerequisite for “high-risk” profiling, as the FDPIC wrongly suggests. After all, the final report makes it clear that the personality profile must be the result of the profiling process and therefore refers to the output of the profiling and not the input:
[…] “Profiling” refers to a particular form of processing. From the logical connection between the result and the form of processing, in turn, it can be deduced, based on the relevant doctrine, that automated processing that results in a legal “personality profile” that allows an assessment of essential aspects of a person’s personality generally also fulfills the qualification criteria of “high-risk profiling” […].
However, qualification as a personality profile depends on whether there is a real risk of the data subject being restricted in their behavior or “self-presentation”. The decisive factor is therefore primarily the specific use of the data, as the FDPIC explained in the Clarification of the facts in the case of Bicicletta had been recorded. How a classification into interest categories such as “Car Lovers” or “Do-It-Yourself (DIY) Buyers” should lead to the necessary risk remains open – in any case, such banal statements do not provide an actual partial picture. However, the final report lacks both factual findings and legal explanations. But certainly such an affinity formation does not lead to a change in a person’s behavior. And if there are objections to such personalization in marketing, the problem should be located in fairness law rather than data protection law.
However, it is not only the classification as a personality profile that is incorrect; the conclusions derived from this are also incorrect: It was clear to the data subjects in the privacy policy that data is used for personalized advertising. There is no apparent basis for a more extensive transparency obligation, in particular no obligation to write “personality profile” in a privacy policy (and the same applies to profiling or high-risk profiling under the current DPA).
Recommendation A/3: Tracking platforms
Ricardo AG has adapted the Ricardo platform in such a way that
3. it is clearly recognizable for Ricardo users which platforms are involved in tracking or data linking for advertising purposes;
Here, the FDPIC recommends making it (more) clear which platforms are involved in tracking or data links for advertising purposes. Here too: The aDSG did not have such an obligation (nor does the current DSG). It is sufficient to name categories of recipients, and the controller may choose whether to name individual recipients or only categories, as can be seen from the materials and literature as well as from a Bern judgment (subject, of course, to the recipients’ obligation to provide information as controllers in their own right and subject to the sender’s contractual obligation to disclose the name of the recipient, which corresponds to practice in certain constellations). It is also not necessary to specify partners from whom data is obtained outside of the right to information. The hierarchy from information to disclosure (see above) is clearly regulated by law: Sources are only to be provided with information on request.
Recommendation A/4: Specification of justification reasons and possibilities of objection
Ricardo AG has adapted the Ricardo platform in such a way that
4. it is clearly recognizable for Ricardo users for which data processing Ricardo AG relies on which justifications and how the data processing can be objected to if necessary.
In the Digitec Galaxus case, he also requested information on which data processing is based on which justifications and how the data processing can be objected to. However, this is not the case and the FDPIC does not justify this request in detail.
On the one hand, a justification is only required if there is a violation of personality rights. This is not the case. Secondly, there is no legal obligation to state grounds for justification in the privacy policy. This is clear from the materials: under the old Data Protection Act, it was disputed whether it was necessary to state grounds for justification in the context of the right to information because it still required information on “the legal basis for processing”, but only in the context of the right to information. This obligation was deliberately not included in the new DPA, not even in the right of access, and it certainly cannot be derived from the obligation to provide information or the principle of transparency, as the obligation to provide information is less far-reaching than the right of access. The FDPIC is aware of this fact: As part of the revision, he had suggested that the duty to provide information should include a duty to provide information on the legal bases, but the legislator did not take up this concern. The fact that this does not prevent the FDPIC from postulating such an obligation is remarkable.
The right to object also arises from the law, which is assumed to be known. The Swiss legislator has also refrained from providing a simplification requirement for data subject rights, as the GDPR does. Deletion and objection options and other data subject rights do not have to be mentioned in data protection declarations. TX and Ricardo have nevertheless included references to erasure and objection rights in their privacy policies, as is common practice, but is not required by law.
Recommendation A/5: Accessibility of the privacy policy
Ricardo AG has adapted the Ricardo platform in such a way that
5. the privacy policy is easy to find, comprehensible and clear. One obvious implementation option is the multi-level information approach: At the top level, concise and easy-to-understand information provides an initial overview of the key aspects of data processing; the detailed privacy policy can then be accessed via a link;
As with Digitec Galaxus, the FDPIC includes his idea of implementation as a suggestion in the recommendation without directly requiring or recommending it – this is hardly permissible, as recommendations in themselves must be dispositive. In any case, this requirement expresses the conflicting objectives of data protection declarations: a data protection declaration should be detailed and complete as a minimum, but at the same time easy to read. This conflict requires a compromise. The FADP does not specify what this may look like, and the comments of the FDPIC are somewhat contradictory here: he calls for a multi-level approach, but criticizes the reference from Ricardo’s privacy policy to that of TX (which is “multi-level”) because this would make it difficult to understand.
As neither the FADP nor the GDPR contain specific requirements, it is up to the controller to decide which information is placed where, which information is highlighted or moved to a first level, where reference is made to other information and where a summary is sufficient for the sake of readability. As long as data subjects are not misled and all necessary information is provided, the details are at the discretion of the controller – the FDPIC or courts should not intervene without necessity.
Recommendation A/6: References to the DPA
Ricardo AG has adapted the Ricardo platform in such a way that
6. if reference is made to the legal basis, the privacy policy refers, where applicable, to the provisions of the applicable Data Protection Act (DSG) and not only to those of the GDPR;
With recommendation A/6, the FDPIC demands that the privacy policy be amended so that reference is made not only to the provisions of the GDPR, but also to those of the DPA. This recommendation is not convincing because Ricardo’s relevant privacy policy only refers to the GDPR in two places: when stating that the GDPR could be applicable and when referring to the EU representative. It is not possible to refer to the GDPR here. However, this requirement would not be legally justified either, as neither the aDSG nor the current DSG require references to legal provisions.
In practice, data protection declarations often contain references to provisions of the GDPR because such provisions are supposed to be mandatory under the GDPR. As already mentioned, there is no such obligation in the FADP, and the position under the GDPR cannot be transferred to the FADP because Swiss law does not recognize a prohibition principle for private controllers and therefore does not require any “legal bases” for the processing of data. The FDPIC may be trying to emphasize that the controller must provide justifications – but, as already mentioned, this is incorrect.
Recommendation A/7: No excessive information
Ricardo AG has adapted the Ricardo platform in such a way that
7. the privacy policy reflects or lists the data processing actually carried out;
Digitec Galaxus also repeats this recommendation. It violates the principle of transparency and the principle of good faith to also indicate data processing that is not or not yet being carried out. This view cannot be endorsed either: The information should define the expectations of the data subjects by stating how the controller intends to use personal data. Information about possible processing achieves this better than information only about processing that is already live at the time the information is provided. In this way, the data subject learns what to expect at the time he or she enters into a relationship with the controller and takes note of the privacy policy for the first and usually last time. The dispatch on Art. 4 para. 4 aDSG already assumed that information about possible processing may be provided, and the literature is unanimous in this view, even recommending information about possible processing.
Reference should again be made to the hierarchy between the duty to inform and the duty to provide information: Anyone who wants to know what data the controller is processing can request a copy of this data with the accompanying information in accordance with Art. 25 FADP – this provides the necessary concretization. The legislator itself has thus provided for a multi-level information approach, and the FDPIC threatens to undermine this sensible assessment with excessive information requirements.
Recommendation A/8: Specification of deletion and objection options
Ricardo AG has adapted the Ricardo platform in such a way that
8. the privacy policy describes the correct deletion or objection option depending on the justification for the data processing and its practice regarding deletion or objection requests is implemented correctly in this regard;
As mentioned, the rights to erasure and objection arise from the law. The legislator has also refrained from providing for a simplification requirement for data subject rights, as the GDPR does. Deletion and objection options and other data subject rights therefore do not have to be mentioned in data protection declarations. TX and Ricardo have nevertheless included references to rights of erasure and objection in their privacy policies, as is standard practice.
Recommendation A/9: Adaptation of the Consent Management Platform
Ricardo AG has adapted the Ricardo platform in such a way that
9. it is comprehensible and recognizable for users in the Consent Management Platform (CMP) which data processing takes place for which purposes, as well as the respective objection options. Ricardo must ensure that no data processing takes place if the selection in the CMP is set to “inactive”.
The FDPIC’s recommendation here relates to the concern that the setting options in the implementation of the CMP were not clearly understandable at the time the facts were established. There was a lack of clarity regarding the distinction between active consent, an objection and passive behavior, which, unlike an objection, does not prevent tracking. The use of a CMP is legally voluntary, but a requirement of the market; and how CMPs should look is determined by the advertising platforms, which, for example, allow the use of the IAB Transparency & Consent Framework (see also here). In accordance with the GDPR, this distinguishes between consent and legitimate interest with a corresponding option to object.
Recommendation B/1: Obtaining consent for data processing for advertising purposes
1. Ricardo adapts the Ricardo platform in such a way that in future it obtains the consent of Ricardo users to the processing carried out by Ricardo and TX for advertising purposes of the TX data offer companies before it collects usage data and passes on personal data to TX for these purposes. This must be done voluntarily and expressly after appropriate information (see recommendation A). Consent can be obtained, for example, by displaying a one-off pop-up at the next login, by adapting the registration form or by ticking a box in the CMP. As cross-platform tracking may only take place with the user’s consent, the button with the text “object to legitimate interests” should not be displayed.
The FDPIC derives a justification requirement from the “hint” (?). Moreover, he claims that the examination of proportionality is “very closely related in terms of content to the examination of the justification of overriding interest”, which is why it is “more appropriate” to carry out the examination at the justification level. However, data processing only needs to be justified if it leads to a violation of personality rights. The FDPIC reverses this relationship and thus assumes that every data processor is in breach of data protection law.
After the FDPIC has weighed up the interests in this way, he comes to the conclusion that the interests of the data subjects prevail. However, the balancing of interests is doubly incomplete.
Firstly, the FDPIC sees a risk that consumers’ freedom of choice will be restricted and that “psychological characteristics and vulnerabilities” will be exploited. What these risks are supposed to result from remains unknown, no facts have been established and of course the FDPIC cannot imply such a thing – apart from the fact that the protection of this freedom of choice would be a competition law concern. The fact that the FDPIC cannot enforce market behavior under the title of data protection has been known since the Helsana ruling clear.
Secondly, you can only weigh up what you have determined and weighted first. However, the interests of Ricardo, TX and the media industry in personalized marketing are neither assessed nor weighed, nor are the measures to protect the data subjects (removal of all speaking identifiers, aggregation, disclosure of only aggregated (and thus, from Ricardo’s and TX’s point of view, anonymized) segment data).
The result is the impression that the FDPIC wants to modo legislatoris introduce a general ban on personalized advertising in groups of companies without consent – according to the FDPIC’s ideas; consent was obtained via the CMB. The enactment of such a ban lies outside the FDPIC’s area of competence. His task is to enforce data protection law. It would be the task of the legislator to specify this in concrete terms – if so; however, to date no one apart from the FDPIC has called for such a ban.
Recommendation B/2: Deletion of data without consent
2. the TX must delete the existing data of Ricardo users that has already been collected for advertising purposes by the TX data offer companies, unless the Ricardo users have given or obtained legally valid consent.
As a consequence of the previous recommendations, the FDPIC requires TX to delete the data of Ricardo users unless consent is obtained for processing. This is consistent if, like the FDPIC, one assumes unlawfulness, but of course also presupposes this.
What remains?
The FDPIC’s final report in the Ricardo and TX Group case is remarkable for several reasons. Firstly, the duration of the proceedings was extraordinarily long, also in comparison with other investigations into the facts of the case, which also took years. As far as can be seen so far, this is changing in the investigations under the new law, which are being progressed more quickly.
Secondly, the FDPIC’s approach to data protection law is too permissive. Of course, the FDPIC is entitled to interpret data protection law as he sees fit, and the fact that this interpretation is sometimes stricter than that of companies (and authorities) is in keeping with his role. However, ignoring established doctrine and case law is something else – the FDPIC does not have to follow this, but he should not disregard these sources as a law-applying function. The examination of the relevant facts is also too superficial. For example, the FDPIC cannot come to the conclusion that personal data is being processed without first having established the identification possibilities and interests as facts of the case.
The VwVG was only applicable by analogy to the old-law clarifications of the facts, and because they could not lead to binding orders without judicial review, a certain freedom in the procedure is understandable. However, the FDPIC underestimates his role if he does not take into account the factual binding nature of his statements.
As far as (the author) is aware, no decisions by the FDPIC under the new law have yet been challenged in court, but it is a matter of time. We will then see whether the FDPIC adapts its approach in accordance with the new law. However, all signs point to this. This may not be advantageous for companies in every case, but it is fundamentally beneficial, and even more so for data protection.
As with the clarification of the facts in the Digitec Galaxus case and elsewhere, this shows the particular importance that the FDPIC attaches to transparency. In principle, he is right to do so. Swiss data protection law is based in particular on transparency, as it does not require a legal basis for data processing by private individuals. The emphasis is therefore placed even more than with the GDPR on the personal responsibility of the data subjects, and transparency is a prerequisite for this. Companies that draft data protection declarations should therefore do so with care, and what they would prefer not to say should be printed in bold. However, transparency is designed as a tiered system. If the entire weight is shifted to the data protection declarations because it is believed that data subjects will not exercise their right to information, this not only contradicts experience, but above all the will of the legislator. This aspect was not taken into account in the previous clarification of the facts or here. Of course, companies must provide the information necessary to understand their data processing. However, it is not necessary to assume that data subjects are incapable of finding their way through data protection declarations that are more complex in terms of their subject matter. And if data subjects do not understand something, they should simply ask – the lack of understanding of individual persons may trigger an investigation by the FDPIC, but is not evidence of a legal defect.