FDPIC: Acti­vi­ty report 2016/2017

The FDPIC today, Mon­day, June 26, issued its 24th Acti­vi­ty Report for the peri­od from April 1, 2016 to March 31, 2017 (PDF). published. It is the first acti­vi­ty report of the FDPIC under the lea­der­ship of Adri­an Lob­si­ger. An inter­view with Adri­an Lob­si­ger also from today Mon­day was published by SRF broad­cast.

The TB opens with the fol­lo­wing, per­haps some­what con­fron­ta­tio­nal, preface:

Almost every coun­try curr­ent­ly wants to sei­ze the oppor­tu­ni­ties offe­red by digi­tizati­on and allow its popu­la­ti­on to par­ti­ci­pa­te. In the are­as of trans­por­ta­ti­on and heal­th­ca­re, among others, Switz­er­land is also pushing ahead with major pro­jects for which we as citi­zens are to make a wealth of data available in our ever­y­day roles as cus­to­mers, pati­ents or tra­ve­lers. Whe­ther we want to do this and place our trust in the digi­tal expe­ri­ment depends on whe­ther Trans­pa­rent, fair and mino­ri­ty-sen­si­ti­ve online prac­ti­ces or digi­tal pater­na­lism, listening and duping enforce.

Regu­la­to­ry and cor­po­ra­te data pro­tec­tion coun­ter­act the lat­ter by influen­cing at an ear­ly stage to ensu­re that tele­ma­tics and robo­tics sup­port people’s fun­da­men­tal right to a free and self-deter­mi­ned life rather than end­an­ge­ring it. In view of the expe­ri­men­tal rea­li­ty of digi­tizati­on, I am con­vin­ced that, in addi­ti­on to new regu­la­ti­on, this will requi­re a prag­ma­tic data pro­tec­tionThe lat­ter must some­ti­mes also take uncon­ven­tio­nal paths in order to give accep­tance and effect to new legal and tech­ni­cal instru­ments for the pro­tec­tion of pri­va­cy and infor­ma­tio­nal self-deter­mi­na­ti­on. Fur­ther­mo­re, it needs Cre­di­ble powers and resour­cesdata pro­tec­tion can satis­fac­to­ri­ly accom­pa­ny lar­ge-sca­le pro­jects and deve­lop an appro­pria­te den­si­ty of controls.

Whe­ther the pater­na­lism is real­ly only to be sought on the part of the free mar­ket remains to be seen, as does whe­ther cor­po­ra­te data pro­tec­tion is bound by fun­da­men­tal rights (Switz­er­land does not know any direct third-par­ty effect of fun­da­men­tal rights; this is an essen­ti­al dif­fe­rence to the EU regu­la­ti­on, which must not be dis­re­gard­ed if data pro­tec­tion law is not to beco­me even more of a vehic­le for con­su­mer pro­tec­tion concerns).

The acti­vi­ty report (TB) expres­ses its views on the fol­lo­wing topics, among others:

Reor­ga­nizati­on of the FDPIC

The stra­te­gic and ope­ra­tio­nal focus on digi­tizati­on is sup­port­ed by a finan­ci­al­ly neu­tral reor­ga­nizati­on of the aut­ho­ri­ty, which came into effect on April 1, 2017. It aims to streng­then the authority’s tech­ni­cal com­pe­ten­ci­es and reli­e­ve its manage­ment of day-to-day cross-cut­ting tasks:

All tra­di­tio­nal staff and cross-divi­sio­nal tasks such as busi­ness con­trol, com­mu­ni­ca­ti­ons, finan­ce were trans­fer­red to the New­ly for­med Com­pe­tence Cen­ters unit (cf. the orga­nizati­on chart of the FDPIC: www.derbeauftragte.ch, The FDPIC – Orga­nizati­on). The­re, among other things:

  • bund­led all tech­ni­cal com­pe­ten­ci­es for the sup­port of data pro­tec­tion pro­ce­du­res and its own fur­ther training;
  • ana­ly­zes cur­rent deve­lo­p­ments in digitization.

The two pre­vious units on the Enforce­ment of the DPA were com­bi­ned under for­ma­ti­on of three teams. […]

The cur­rent orga­nizatio­nal chart can be found on the Web­site of the FDPIC.

Revi­si­on of the DPA

On p. 15 ff., the TB dis­cus­ses the ongo­ing revi­si­on of the DPA. It comm­ents on this, among other things, as follows:

We ack­now­ledge the qua­li­ty of the draft revi­si­on, but belie­ve that it should be sup­ple­men­ted. For exam­p­le, in the office con­sul­ta­ti­on pro­cess, we pro­po­sed, among other things, that the Streng­then the posi­ti­on of data sub­jects, name­ly with a right to object to pro­ce­s­sing, a right to data por­ta­bi­li­ty, and a right to delist as a sup­ple­ment to the right to era­su­re. Tho­se respon­si­ble for pro­ce­s­sing ope­ra­ti­ons that pose a par­ti­cu­lar risk to pri­va­cy should be invi­ted to the Appoint­ment of a data pro­tec­tion advi­sor obli­ga­ted beco­me. This task is alre­a­dy being per­for­med com­pre­hen­si­ve­ly in many com­pa­nies, is the sub­ject of trai­ning cour­ses, and forms an effec­ti­ve instru­ment for imple­men­ting data pro­tec­tion in com­pa­nies and in administration.

Final­ly, the DPA should also app­ly to data pro­ces­sors that do not have a regi­stered office in Switz­er­land but who­se pro­ce­s­sing ope­ra­ti­ons have their effect in Switz­er­land and affect indi­vi­du­als estab­lished here. The­se com­pa­nies should be requi­red to pro­vi­de a To have cont­act per­sons in Switz­er­land, in par­ti­cu­lar to faci­li­ta­te the exer­cise of the rights of data sub­jects. The rela­ti­on­ship bet­ween our legis­la­ti­on and the Euro­pean Regu­la­ti­on, name­ly its impact in Switz­er­land or for Swiss data con­trol­lers with pro­ce­s­sing acti­vi­ties in Euro­pe, rai­ses many legi­ti­ma­te que­sti­ons in Switz­er­land and in Euro­pe. In this sen­se we wel­co­me the Moti­on 16.3752 of the FDP-Libe­ral Group “Against dupli­ca­ti­on in data pro­tec­tion”, in which the Fede­ral Coun­cil is ins­truc­ted to seek an agree­ment with the Euro­pean Uni­on for the coor­di­na­ti­on of the appli­ca­ti­on of the respec­ti­ve appli­ca­ble law.

Other topics in the area of data protection

Other topics include:

  • Use of AHV num­bers in registers
  • Cla­ri­fi­ca­ti­on of facts regar­ding SwissPass
  • Data pro­tec­tion in elec­tro­nic ticketing
  • Cla­ri­fi­ca­ti­on of facts regar­ding Win­dows 10, wher­eby the solu­ti­on found via “laye­red con­sent” is eva­lua­ted as a mini­mum stan­dard for appli­ca­ti­ons and ser­vices of other com­pa­nies. It is descri­bed in the TB as follows:

    In the first release, all users are shown the set­ting opti­ons for data trans­fers with more exten­si­ve infor­ma­ti­on during the new instal­la­ti­on or when updating to this ope­ra­ting system. In the second release, users can addi­tio­nal­ly access the cor­re­spon­ding pas­sa­ge in the pri­va­cy poli­cy direct­ly during the instal­la­ti­on pro­cess. The link to fur­ther infor­ma­ti­on in the pri­va­cy state­ment increa­ses trans­pa­ren­cy and makes it easier for users to find their way through the exten­si­ve and detail­ed explanation.

  • New pri­va­cy poli­cy from Swisscom
  • Elec­tro­nic Iden­ti­ty Act (E‑ID Act)
  • Sur­veil­lan­ce of postal and tele­com­mu­ni­ca­ti­ons traf­fic – total revi­si­on of the ordinances
  • Imple­men­ting pro­vi­si­ons for the Fede­ral Act on the Elec­tro­nic Pati­ent File
  • Pro­ject BAGSAN ((sta­tis­tics based on data of insu­red per­sons) of the Fede­ral Office of Public Health
  • Out­sour­cing of invoi­cing in the medi­cal sec­tor (wher­eby the FDPIC requi­res the express con­sent of the data sub­jects for this).
  • Release from the obli­ga­ti­on to main­tain con­fi­den­tia­li­ty in the con­text of an IV procedure
  • Use of fit­ness trackers in the insu­rance sector
  • Cla­ri­fi­ca­ti­on of facts regar­ding eRe­crui­ting and appli­ca­ti­on dos­siers in the fede­ral administration
  • Swiss‑U.S. Pri­va­cy Shield
  • Cre­dit agen­cy Money­hou­se – Action befo­re the Fede­ral Admi­ni­stra­ti­ve Court
  • Ordi­nan­ces on the Ener­gy Stra­tegy 2050
  • Dis­clo­sure of per­so­nal data to for­eign tax authorities

Public Act

In the area of the Public Records Act, the TB addres­ses the fol­lo­wing issues:

  • Rest­ric­tion of the prin­ci­ple of publi­ci­ty in the super­vi­si­on of public transport.
  • Access to docu­ments on public procurement
  • Ordi­nan­ce on the Intel­li­gence Service
  • New working method for con­duc­ting BGÖ con­ci­lia­ti­on pro­ce­e­dings (sin­ce Janu­ary 1, 2017, new­ly recei­ved con­ci­lia­ti­on requests have been hand­led pri­ma­ri­ly in an expe­di­ted, oral procedure).

To the authority

The fol­lo­wing infor­ma­ti­on on the aut­ho­ri­ty is inte­re­st­ing, espe­ci­al­ly against the back­ground of the incre­a­sing tasks of the FDPIC due to the revi­si­on of the DPA:

  • Sin­ce 2005, the head­count has ran­ged bet­ween 22 and 24 employees (the TB does not indi­ca­te whe­ther the­se are FTEs).
  • The per­son­nel were deployed as follows:
  • Con­sul­ting accounts for almost 50% of the expen­ses. For 2017, he said, con­sul­ting is under­way in 10 major pro­jects, 3 in trans­port, 1 in finan­ce, 3 in health and labor, 1 in secu­ri­ty, and 2 in telcos/IoT.
  • The grea­test effort ari­ses in the are­as of trade & com­mer­ce; data pro­tec­tion issues in gene­ral; justi­ce, poli­ce and secu­ri­ty; and the public principle:

  • The TB con­ta­ins detail­ed sta­tis­tics on access requests accor­ding to BGÖ. Access requests were hand­led as fol­lows during the report­ing period:
  • The types of tran­sac­tions vary great­ly accor­ding to the depart­ments concerned:
  • Regar­ding the gro­wing tasks of the FDPIC under the revi­sed FADP, the FDPIC comm­ents as follows:

    Accor­ding to the accom­pany­ing report on the e‑DSG, the Fede­ral Coun­cil expects that the finan­cial needs of the FDPIC as a who­le “increa­se signi­fi­cant­ly”. The quan­ti­fi­ca­ti­on of this rein­force­ment will ulti­m­ate­ly deter­mi­ne the inten­si­ty with which the fede­ral data pro­tec­tion aut­ho­ri­ty can per­form its tasks. Sin­ce some of the new instru­ments are descri­bed in gene­ral terms in the text of the law, it is obvious that the poli­ti­cal aut­ho­ri­ties will have con­sidera­ble dis­creti­on in asses­sing future deve­lo­p­ments and quan­ti­fy­ing them.

    In doing so, the poli­ti­cal bodies should pay due atten­ti­on to the spe­cial natu­re of the tasks of the data pro­tec­tion aut­ho­ri­ty: the main task of the FDPIC is to pro­tect pri­va­cy and gua­ran­tee the right to infor­ma­tio­nal self-deter­mi­na­ti­on in the digi­tal socie­ty. The FDPIC must be able to act inde­pendent­ly. This requi­res ade­qua­te and suf­fi­ci­ent human, mate­ri­al, tech­ni­cal and finan­cial resour­ceswhich do not limit the super­vi­so­ry aut­ho­ri­ty to reac­tively doing the indis­pensable, but allow it to take the initia­ti­ve to act; and to do so with a degree of cre­di­bi­li­ty and inten­si­ty that the public con­cer­ned may rea­son­ab­ly expect in order to pro­tect its fun­da­men­tal rights.




Rela­ted articles