Inter­pel­la­ti­on Schel­bert (06.3705): Safe­guar­ding elec­tro­nic privacy
Done (23.03.2007)

Sub­mit­ted text

Epta (Euro­pean Par­lia­men­ta­ry Tech­no­lo­gy Assess­ment) deals with tech­no­lo­gy impact assess­ment. In a new report, Epta has exami­ned the impact of elec­tro­nic ser­vices on our pri­va­cy and gene­ral­ly iden­ti­fi­ed a need for poli­ti­cal action. In this con­text, I would like the Fede­ral Coun­cil to ans­wer the fol­lo­wing questions:

1. how does it assess the abili­ty of indi­vi­du­als to assess the oppor­tu­ni­ties and risks of mana­ging their elec­tro­nic privacy?

2. does it envi­sa­ge mea­su­res to opti­mi­ze the oppor­tu­ni­ties for indi­vi­du­als to exer­cise their per­so­nal responsibility?

3. does it see any pos­si­bi­li­ties for requi­ring pro­vi­ders of elec­tro­nic ser­vices to pro­vi­de more information?

4. what is its posi­ti­on on the idea of requi­ring that data pro­tec­tion con­cerns be taken into account at an ear­ly stage, i.e., during the design and deve­lo­p­ment of elec­tro­nic offerings?

5. will the Fede­ral Data Pro­tec­tion Commissioner’s job bud­get be increased?

Justi­fi­ca­ti­on

Elec­tro­nic ser­vices are cove­ring ever lar­ger are­as. At the same time (and pro­ba­b­ly becau­se of this), we humans are lea­ving elec­tro­nic traces in more and more places. Unli­ke tho­se in the snow, howe­ver, the­se do not dis­ap­pear, but can be coll­ec­ted and lin­ked. And they are being coll­ec­ted, and they are being lin­ked. It is beco­ming incre­a­sing­ly dif­fi­cult for indi­vi­du­als to keep track of them or even to gain an over­view of them. Of cour­se, one can talk about per­so­nal respon­si­bi­li­ty, but the exce­s­si­ve demands on many indi­vi­du­als are obvious.

The Epta report shows that some pro­blems could be avo­ided. Sen­si­tizati­on among pro­vi­ders and users is neces­sa­ry. To this end, the con­cerns of data and pri­va­cy pro­tec­tion would have to be taken into account at an ear­ly stage. This applies to both the pri­va­te sec­tor and the public sec­tor (e‑government, e‑health, etc.). Ade­qua­te­ly equip­ped data pro­tec­tion agen­ci­es can also make an important con­tri­bu­ti­on to pre­ven­ting or at least redu­cing pro­blems, so that they can sup­port the popu­la­ti­on and poli­ti­ci­ans in their many functions.

State­ment of the Fede­ral Council

1 The hand­ling of elec­tro­nic data and the asso­cia­ted risks to pri­va­cy con­stant­ly pose new chal­lenges to the indi­vi­du­al. Howe­ver, expe­ri­ence with the Data Pro­tec­tion Act (SR 235.1) has shown that its appli­ca­ti­on is gene­ral­ly satis­fac­to­ry (cf. Dis­patch on the amend­ment of the Fede­ral Act on Data Pro­tec­tion – FADP – and on the Fede­ral Decree con­cer­ning Switzerland’s acce­s­si­on to the Addi­tio­nal Pro­to­col of 8 Novem­ber 2001 to the Con­ven­ti­on for the Pro­tec­tion of Indi­vi­du­als with regard to Auto­ma­tic Pro­ce­s­sing of Per­so­nal Data regar­ding super­vi­so­ry aut­ho­ri­ties and trans­bor­der data trans­fers, BBl 2003 2101ff.). One of the cen­tral con­cerns of the afo­re­men­tio­ned revi­si­on of the Data Pro­tec­tion Act was pre­cis­e­ly to streng­then the posi­ti­on of the data sub­ject by impro­ving his or her infor­ma­ti­on and crea­ting more trans­pa­ren­cy with regard to the data pro­ce­s­sing that con­cerns him or her.

2/3 The revi­sed Data Pro­tec­tion Act (revDSG, BBl 2006 3547ff., not yet in force) sti­pu­la­tes that the acqui­si­ti­on and pro­ce­s­sing pur­po­se of per­so­nal data must be reco­gnizable to the data sub­ject (Art. 4 para. 4 revDSG), and also sti­pu­la­tes in Art. 7a an acti­ve duty to pro­vi­de infor­ma­ti­on when acqui­ring data or per­so­na­li­ty pro­files that are par­ti­cu­lar­ly wort­hy of pro­tec­tion. In this way, the infor­ma­ti­on of the indi­vi­du­al is opti­mi­zed in a meaningful way.

The Data Pro­tec­tion Act sets out the requi­re­ments that the pro­ce­s­sing of per­so­nal data by pri­va­te indi­vi­du­als must meet. The­se requi­re­ments are inde­pen­dent of the tech­no­lo­gy used and also app­ly to elec­tro­nic offe­rings. The revi­sed Data Pro­tec­tion Act adhe­res to the tech­no­lo­gy-neu­tral basic con­cept. Ear­ly con­side­ra­ti­on of legal requi­re­ments will gene­ral­ly be in the inte­rest of the pro­vi­der of a pro­duct or ser­vice who stri­ves to com­ply with legal requi­re­ments and gain the trust of poten­ti­al cus­to­mers. To what ext­ent a spe­cial legal pro­vi­si­on could be of addi­tio­nal bene­fit in this respect is not appa­rent. Fur­ther­mo­re, it should be noted that based on Artic­le 11 (2) revDSG, the instru­ment of data pro­tec­tion cer­ti­fi­ca­ti­ons will be intro­du­ced in the future. The data pro­tec­tion qua­li­ty marks obtai­ned on the basis of this vol­un­t­a­ry cer­ti­fi­ca­ti­on can be used for adver­ti­sing pur­po­ses. This should crea­te an addi­tio­nal incen­ti­ve to also design elec­tro­nic offe­rings in a data pro­tec­tion-com­pli­ant manner.

5 The num­ber of posts at the FDPIC was last increa­sed by four in 2004. Sin­ce 2007, the Fede­ral Chan­cel­lery has finan­ced an addi­tio­nal post for the Fede­ral Data Pro­tec­tion and Infor­ma­ti­on Com­mis­sio­ner (FDPIC) from its bud­get. If the new tasks impo­sed on the FDPIC (Public Infor­ma­ti­on Act, Schengen/Dublin Agree­ment) should lead to a grea­ter workload, a reduc­tion in tasks or an increa­se in the staff bud­get will be unavo­ida­ble. The review of the FDPIC curr­ent­ly under­way by the Swiss Fede­ral Audit Office should pro­vi­de fur­ther bases for this.