Interpellation Schelbert (06.3705): Safeguarding electronic privacy
Done (23.03.2007)
Submitted text
Epta (European Parliamentary Technology Assessment) deals with technology impact assessment. In a new report, Epta has examined the impact of electronic services on our privacy and generally identified a need for political action. In this context, I would like the Federal Council to answer the following questions:
1. how does it assess the ability of individuals to assess the opportunities and risks of managing their electronic privacy?
2. does it envisage measures to optimize the opportunities for individuals to exercise their personal responsibility?
3. does it see any possibilities for requiring providers of electronic services to provide more information?
4. what is its position on the idea of requiring that data protection concerns be taken into account at an early stage, i.e., during the design and development of electronic offerings?
5. will the Federal Data Protection Commissioner’s job budget be increased?
Justification
Electronic services are covering ever larger areas. At the same time (and probably because of this), we humans are leaving electronic traces in more and more places. Unlike those in the snow, however, these do not disappear, but can be collected and linked. And they are being collected, and they are being linked. It is becoming increasingly difficult for individuals to keep track of them or even to gain an overview of them. Of course, one can talk about personal responsibility, but the excessive demands on many individuals are obvious.
The Epta report shows that some problems could be avoided. Sensitization among providers and users is necessary. To this end, the concerns of data and privacy protection would have to be taken into account at an early stage. This applies to both the private sector and the public sector (e‑government, e‑health, etc.). Adequately equipped data protection agencies can also make an important contribution to preventing or at least reducing problems, so that they can support the population and politicians in their many functions.
Statement of the Federal Council
1 The handling of electronic data and the associated risks to privacy constantly pose new challenges to the individual. However, experience with the Data Protection Act (SR 235.1) has shown that its application is generally satisfactory (cf. Dispatch on the amendment of the Federal Act on Data Protection – FADP – and on the Federal Decree concerning Switzerland’s accession to the Additional Protocol of 8 November 2001 to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data transfers, BBl 2003 2101ff.). One of the central concerns of the aforementioned revision of the Data Protection Act was precisely to strengthen the position of the data subject by improving his or her information and creating more transparency with regard to the data processing that concerns him or her.
2/3 The revised Data Protection Act (revDSG, BBl 2006 3547ff., not yet in force) stipulates that the acquisition and processing purpose of personal data must be recognizable to the data subject (Art. 4 para. 4 revDSG), and also stipulates in Art. 7a an active duty to provide information when acquiring data or personality profiles that are particularly worthy of protection. In this way, the information of the individual is optimized in a meaningful way.
The Data Protection Act sets out the requirements that the processing of personal data by private individuals must meet. These requirements are independent of the technology used and also apply to electronic offerings. The revised Data Protection Act adheres to the technology-neutral basic concept. Early consideration of legal requirements will generally be in the interest of the provider of a product or service who strives to comply with legal requirements and gain the trust of potential customers. To what extent a special legal provision could be of additional benefit in this respect is not apparent. Furthermore, it should be noted that based on Article 11 (2) revDSG, the instrument of data protection certifications will be introduced in the future. The data protection quality marks obtained on the basis of this voluntary certification can be used for advertising purposes. This should create an additional incentive to also design electronic offerings in a data protection-compliant manner.
5 The number of posts at the FDPIC was last increased by four in 2004. Since 2007, the Federal Chancellery has financed an additional post for the Federal Data Protection and Information Commissioner (FDPIC) from its budget. If the new tasks imposed on the FDPIC (Public Information Act, Schengen/Dublin Agreement) should lead to a greater workload, a reduction in tasks or an increase in the staff budget will be unavoidable. The review of the FDPIC currently underway by the Swiss Federal Audit Office should provide further bases for this.