The FDPIC today, Monday, June 26, issued its 24th Activity Report for the period from April 1, 2016 to March 31, 2017 (PDF). published. It is the first activity report of the FDPIC under the leadership of Adrian Lobsiger. An interview with Adrian Lobsiger also from today Monday was published by SRF broadcast.
The TB opens with the following, perhaps somewhat confrontational, preface:
Almost every country currently wants to seize the opportunities offered by digitization and allow its population to participate. In the areas of transportation and healthcare, among others, Switzerland is also pushing ahead with major projects for which we as citizens are to make a wealth of data available in our everyday roles as customers, patients or travelers. Whether we want to do this and place our trust in the digital experiment depends on whether Transparent, fair and minority-sensitive online practices or digital paternalism, listening and duping enforce.
Regulatory and corporate data protection counteract the latter by influencing at an early stage to ensure that telematics and robotics support people’s fundamental right to a free and self-determined life rather than endangering it. In view of the experimental reality of digitization, I am convinced that, in addition to new regulation, this will require a pragmatic data protectionThe latter must sometimes also take unconventional paths in order to give acceptance and effect to new legal and technical instruments for the protection of privacy and informational self-determination. Furthermore, it needs Credible powers and resourcesdata protection can satisfactorily accompany large-scale projects and develop an appropriate density of controls.
Whether the paternalism is really only to be sought on the part of the free market remains to be seen, as does whether corporate data protection is bound by fundamental rights (Switzerland does not know any direct third-party effect of fundamental rights; this is an essential difference to the EU regulation, which must not be disregarded if data protection law is not to become even more of a vehicle for consumer protection concerns).
The activity report (TB) expresses its views on the following topics, among others:
Reorganization of the FDPIC
The strategic and operational focus on digitization is supported by a financially neutral reorganization of the authority, which came into effect on April 1, 2017. It aims to strengthen the authority’s technical competencies and relieve its management of day-to-day cross-cutting tasks:
All traditional staff and cross-divisional tasks such as business control, communications, finance were transferred to the Newly formed Competence Centers unit (cf. the organization chart of the FDPIC: www.derbeauftragte.ch, The FDPIC – Organization). There, among other things:
- bundled all technical competencies for the support of data protection procedures and its own further training;
- analyzes current developments in digitization.
The two previous units on the Enforcement of the DPA were combined under formation of three teams. […]
The current organizational chart can be found on the Website of the FDPIC.
Revision of the DPA
On p. 15 ff., the TB discusses the ongoing revision of the DPA. It comments on this, among other things, as follows:
We acknowledge the quality of the draft revision, but believe that it should be supplemented. For example, in the office consultation process, we proposed, among other things, that the Strengthen the position of data subjects, namely with a right to object to processing, a right to data portability, and a right to delist as a supplement to the right to erasure. Those responsible for processing operations that pose a particular risk to privacy should be invited to the Appointment of a data protection advisor obligated become. This task is already being performed comprehensively in many companies, is the subject of training courses, and forms an effective instrument for implementing data protection in companies and in administration.
Finally, the DPA should also apply to data processors that do not have a registered office in Switzerland but whose processing operations have their effect in Switzerland and affect individuals established here. These companies should be required to provide a To have contact persons in Switzerland, in particular to facilitate the exercise of the rights of data subjects. The relationship between our legislation and the European Regulation, namely its impact in Switzerland or for Swiss data controllers with processing activities in Europe, raises many legitimate questions in Switzerland and in Europe. In this sense we welcome the Motion 16.3752 of the FDP-Liberal Group “Against duplication in data protection”, in which the Federal Council is instructed to seek an agreement with the European Union for the coordination of the application of the respective applicable law.
Other topics in the area of data protection
Other topics include:
- Use of AHV numbers in registers
- Clarification of facts regarding SwissPass
- Data protection in electronic ticketing
- Clarification of facts regarding Windows 10, whereby the solution found via “layered consent” is evaluated as a minimum standard for applications and services of other companies. It is described in the TB as follows:
- Electronic Identity Act (E‑ID Act)
- Surveillance of postal and telecommunications traffic – total revision of the ordinances
- Implementing provisions for the Federal Act on the Electronic Patient File
- Project BAGSAN ((statistics based on data of insured persons) of the Federal Office of Public Health
- Outsourcing of invoicing in the medical sector (whereby the FDPIC requires the express consent of the data subjects for this).
- Release from the obligation to maintain confidentiality in the context of an IV procedure
- Use of fitness trackers in the insurance sector
- Clarification of facts regarding eRecruiting and application dossiers in the federal administration
- Swiss‑U.S. Privacy Shield
- Credit agency Moneyhouse – Action before the Federal Administrative Court
- Ordinances on the Energy Strategy 2050
- Disclosure of personal data to foreign tax authorities
In the area of the Public Records Act, the TB addresses the following issues:
- Restriction of the principle of publicity in the supervision of public transport.
- Access to documents on public procurement
- Ordinance on the Intelligence Service
- New working method for conducting BGÖ conciliation proceedings (since January 1, 2017, newly received conciliation requests have been handled primarily in an expedited, oral procedure).
To the authority
The following information on the authority is interesting, especially against the background of the increasing tasks of the FDPIC due to the revision of the DPA:
- Since 2005, the headcount has ranged between 22 and 24 employees (the TB does not indicate whether these are FTEs).
- The personnel were deployed as follows:
- Consulting accounts for almost 50% of the expenses. For 2017, he said, consulting is underway in 10 major projects, 3 in transport, 1 in finance, 3 in health and labor, 1 in security, and 2 in telcos/IoT.
- The greatest effort arises in the areas of trade & commerce; data protection issues in general; justice, police and security; and the public principle:
- The TB contains detailed statistics on access requests according to BGÖ. Access requests were handled as follows during the reporting period:
- The types of transactions vary greatly according to the departments concerned:
- Regarding the growing tasks of the FDPIC under the revised FADP, the FDPIC comments as follows:
According to the accompanying report on the e‑DSG, the Federal Council expects that the financial needs of the FDPIC as a whole “increase significantly”. The quantification of this reinforcement will ultimately determine the intensity with which the federal data protection authority can perform its tasks. Since some of the new instruments are described in general terms in the text of the law, it is obvious that the political authorities will have considerable discretion in assessing future developments and quantifying them.
In doing so, the political bodies should pay due attention to the special nature of the tasks of the data protection authority: the main task of the FDPIC is to protect privacy and guarantee the right to informational self-determination in the digital society. The FDPIC must be able to act independently. This requires adequate and sufficient human, material, technical and financial resourceswhich do not limit the supervisory authority to reactively doing the indispensable, but allow it to take the initiative to act; and to do so with a degree of credibility and intensity that the public concerned may reasonably expect in order to protect its fundamental rights.