Interpellation Grin (09.4022): Security risks associated with telephone data handled abroad
Done (19.03.2010)
Submitted text
Since certain risks emanate from Pakistan, I put the following questions to the Federal Council:
1. is information encrypted before it is sent to third countries so that it is not possible to link people and data?
2. is data protection guaranteed by the telephone companies? If so, how?
3. if unauthorized persons could gain access to CRM data: What information could they extract from it?
Justification
Telephone companies have their CRM (Customer Relationship Management) data processed abroad. CRM is defined as “a process for handling all data used to identify customers, create databases of information about customers, develop customer relationships and improve the company and product image among customers”. CRM data is used to define the needs of customers and to be able to make them customized offers. Swisscom, for example, has its data processed in Pakistan.
<
h1>Statement of the Federal Council
<
h1>
The present interpellation generally deals with the processing of “telephone data”. However, the explanatory statement mentions Swisscom by name, which has its CRM data processed in Pakistan. Upon request, Swisscom counters that it does not process any CRM data in Pakistan. Only maintenance work on a specific application is currently still being carried out in Pakistan, but this work is expected to be taken over exclusively by Swisscom again in the course of this year.
The following answers to the questions in the interpellation are based on information from the four largest telecommunications companies in Switzerland, which together serve up to 97 percent of Swiss customers, depending on the sector. This shows that these companies are behaving in compliance with the law. The Federal Council has no indication that other telecommunications service providers do not also comply with the relevant data protection regulations.
1 Before personal data is transferred abroad, organizational and technical measures are taken to ensure compliance with the Data Protection Act of 19 June 1992 (DPA; SR 235.1). In particular, the data is encrypted and authenticated so that the security of the data transmission can be guaranteed. Depending on the application, the contents of the data are also anonymized. However, anonymization is not always possible, e.g. if name and address are required for processing. Furthermore, data protection contracts are concluded and organizational measures are taken, such as restricting access to the data and regular checks.
2 For the disclosure of personal data to recipients abroad, the owners of data collections, i.e. also the telecommunications service providers, must comply in particular with Article 6 FADP. Accordingly, the disclosure of data abroad is only permitted if the data protection legislation there guarantees adequate protection. The Federal Data Protection and Information Commissioner (FDPIC) maintains a public list of countries that guarantee this protection.
However, the disclosure of personal data to recipients in countries without adequate protection is only permitted in certain cases. For example, disclosure is permitted if a contract with the recipient of the data abroad ensures adequate protection. Disclosure is also permitted if it takes place between companies that are subject to uniform management and the parties involved are subject to data protection rules that ensure adequate protection.
Traffic and billing data are sent either only to countries that guarantee adequate data protection according to the Edöb list, or only to foreign companies with which contracts exist that guarantee data protection. However, if customers make calls in countries that are not secure, traffic data will of course also be generated there.
3. should unauthorized persons abroad gain access to personal data, they would not be able to extract more information from it than was transmitted from Switzerland to the foreign country. Depending on the processing order, this could include the following data: Telephone numbers, names, addresses, billing data, telephony behavior, information about services used via the Internet. However, it cannot be ruled out that the above-mentioned data from telecommunications services will be combined with data from other service providers, e.g. credit card transactions, Internet services for information searches, e‑mail or chat services. Customers should therefore choose a service provider with the highest possible level of data protection for all sensitive data.