Interpellation Marti (19.3659): Swisscom launches data octopus Beem: How is this compatible with the Confederation’s ownership strategy?
Submitted text
In recent weeks, the public has been informed about extensive technological changes in the advertising market. Swisscom intends to use Beem “make classic advertising campaigns interactive and smartphone-enabled,” as communicated in a media release. Similarly, “Aymo“Amyo is an APG service that uses high-frequency audio signals to display user-specific advertisements depending on the content consumed by the corresponding app (20 Minuten, Watson, Bluewin). While the launch of Beem was delayed by a number of complaints, Amyo is already in use today and, among other things, records the location of users if this has been released in the corresponding apps. Although APG insists that they would not have access to IP address, cell phone number, name and mail address, they say they create target group profiles.
I would ask the Federal Council to answer the following questions:
1. why has Beem not yet been audited by the FDPIC?
2) Does the Confederation, as owner of Swisscom, support corresponding business strategies? Why/why not?
3) How many other comparable offers via Bluetooth or GPS are there in Switzerland?
4. to what extent is it ensured that these offers are actually only sent to the cell phone and not answered by the cell phone?
5. to what extent can providers be obliged to actively opt-in/opt-out (even in the case of recurring use)?
6) How does the Federal Council view the fact that Beem’s data protection provisions do not explicitly exclude further use by third parties and place all responsibility on the users?
7 What happens if corresponding data collections are superimposed (location with e.g. club memberships or similar)?
8. how many people and/or animals find ultrasonic sounds disturbing?
9. should such ultrasonic sounds be broadcast on public television?
10. to what extent does the Federal Council plan to allocate research funds to consumer cybersecurity (instead of only authorities and companies)?
Statement of the Federal Council from 14.8.19
1 In order to improve data protection and data security, the manufacturers of data processing systems or programs and private individuals or federal bodies that process personal data may subject their systems, procedures and organization to an assessment by recognized independent certification bodies. The Federal Data Protection and Information Commissioner (FDPIC) itself cannot conduct audits in the sense of certifications of data processing systems.
However, the FDPIC advises and supervises private individuals and federal bodies with regard to compliance with the legal data protection provisions. This means that, on the one hand, the FDPIC helps to raise awareness of aspects of data protection among those who process personal data (i.e. the owners of data collections), but also among those about whom data are processed (i.e. the data subjects), and to inform them.
On the other hand, the commissioner can then intervene if the owners of data collections do not comply with the principles of data protection. With regard to Beem, the FDPIC is therefore also closely monitoring the situation and reserves the right to take appropriate measures if there are increasing indications that the personal rights of the data subjects are being unlawfully violated with Beem.
2. The Federal Council manages Swisscom by setting strategic goals. In doing so, it expects Swisscom to be managed in a business-oriented, competitive and customer-focused manner.. Likewise, that it successfully offers network infrastructures and services based on them in the converging markets of telecommunications, information technology, broadcasting, media and entertainment, thus contributing to the digitization of all regions in Switzerland. By contrast, the Federal Council has no influence on the operational business.
3. with Bluetooth, signals are transmitted directly between the poster and the cell phone. The GPS coordinates are processed within the cell phone. Both are therefore carried out without the intervention of telecommunications service providers, which are subject to OFCOM supervision under the Telecommunications Act (TCA; SR 784.10), and without the intervention of other companies which are subject to specific official supervision. The Federal Council therefore has no information on how many comparable offerings there are in Switzerland.
4 Since this is not electromagnetic transmission as defined by the TCA, which would be subject to OFCOM supervision, but sound transmission, the Federal Council has no information on this issue.
5. The advertising appearing through the Bluetooth signals on the corresponding apps is likely to constitute mass advertising within the meaning of Art. 3 para. 1 let. o UWG. The advertiser must therefore disclose his identity and obtain the recipient’s consent before broadcasting the advertisement (Opt-In). Furthermore, in the case of recurring advertising, it must be ensured that it contains a simple and free rejection option which allows the recipient to stop the advertising again (opt-out). In this respect, providers are already obliged to actively opt-in and opt-out.
Furthermore, the principle of clarity and truth in competition should dictate that it be disclosed to the user that the advertising is user-specific.
6. the provisions of data protection must be complied with in the event of disclosure of personal data to third parties and its further use. Disclosure can be justified, for example, by the consent of the persons concerned. According to the information provided by Swisscom, the data would only be passed on with the explicit consent of the customer. And this only if the clientele agrees to the advertisers’ data protection guidelines.
7 In principle, every data owner has the obligation to keep the different data collections clearly separated from each other and to ensure data security by means of suitable technical and organizational measures. From a data protection perspective, linking or combining data from different sources usually violates the privacy of data subjects. According to the principle of purpose, personal data may only be processed for the purpose that was stated when it was obtained, is evident from the circumstances or is provided for by law. Data subjects must therefore be informed in detail about further data processing before it is linked to other data, and must be able to give their consent to it. Without such consent, such combinations are possible only if a law so provides or if there are overriding private or public interests.
8. as already mentioned in question time on Beem (19.5370 Masshardt), the disturbance perception of humans and animals strongly depends on the frequency and loudness of such sounds. The thresholds of perceptibility and significant disturbance are close together for these sounds. Thus, if such a sound is audible, it is usually already disturbing. Such high-frequency signals can also be disturbing or frightening for animals, which is the case, for example, with cat and marten scaring devices.
Whether such annoying or harmful interference can occur with the new advertising technology is currently being clarified by the responsible federal offices in DETEC. The clarifications include not only an assessment of the technical design of the advertising technology, but also measurements of the sounds from specific devices. The results should be available in the course of this year and will be published on the websites of the FOEN and OFCOM.
9 The Federal Council is not aware of any specific projects to also broadcast the sounds for the interactive advertising campaigns via the SRG TV channels.
10. according to the “National Strategy for the Protection of Switzerland against Cyber Risks 2018 – 2022″, no specific research funding on cyber security is provided for authorities and companies so far. Research funds are made available via the existing vessels and processes (e.g. via the National Fund). These are available for applications from all areas, i.e. also for projects related to the cyber security of consumers.