Interpellation Schwaab (15.3822): Quickly cure teething troubles of the new public transport season ticket “Swiss Pass
Pending, discussion postponed (18.12.2015)
See also “Swiss Pass”: FDPIC demands deletion of control data
Submitted text
I put the following questions to the Federal Council:
1. is the Federal Council aware that the data protection regulations regarding the “Swiss Pass” violate modern concepts of data protection? For example, against data protection by technology (“privacy by design”) or data protection by default (“privacy by default”), both principles that the Federal Council supported in its responses to my Postulates 13.3806 and 13.3807.
2. is this type of processing of personal data and its disclosure to third parties legal?
3. will the Federal Council intervene with SBB and the other public transport companies concerned (as well as their owners) to ensure that the “Swiss Pass” guarantees data protection through technology and data protection through default settings? If not, why not?
4. there is a risk that ticket checks on public transport will take significantly longer, as each “Swiss Pass” has to be scanned individually and therefore not only can fewer people be checked, but life is also made unnecessarily difficult for staff and users? Is the Federal Council aware of this risk? Will it intervene to simplify this process?
5 Since the checks take longer, fewer people can be checked. Does the Federal Council think that this will encourage fare evasion?
6. will the Federal Council intervene to ensure that the “Swiss Passport” is given a name in one (or more) of the national languages? If not, why not?
Justification
SBB and other public transport companies have introduced the new subscription “Swiss Pass”. This new subscription not only has only an English name, but also does not sufficiently guarantee privacy protection. The personal data of subscription holders can be used for marketing purposes, for example, unless they have expressly objected to this. In addition, the data may be disclosed to third parties. Subscription holders are not expressly informed of this possibility and must take the necessary steps themselves to prevent the dissemination of their personal data. This practice violates modern concepts of data protection. Since the “Swiss Pass” will replace a great many season tickets, it is extremely likely that the personal data of millions of public transport users will be misused. In addition, ticket checks will take longer because of the new system, and life will be made unnecessarily difficult for staff and users.
Statement of the Federal Council
1 In the public transport industry, a distinction is made between customer data and control data. The introduction of the “Swiss Pass” does not change the handling of customer data. Customer data will continue to be used for marketing purposes. According to SBB, this is done “with extreme restraint”.
A concretization of the principles of “Privacy by Default” (principle of data protection-friendly default settings) and “Privacy by Design” (principle of data protection by technology) is currently being discussed both in Switzerland and at the European level as part of the ongoing data protection reforms. In connection with the “Swiss Passport”, the Federal Council sees two points that need to be considered with regard to these principles. With regard to customer data, the conflict with the “Privacy by Default” principle could be that the customer must object if he does not want his data to be used for marketing purposes. Anyone who does not want this to happen must communicate this by e‑mail, telephone or at the counter.
When a traveler with a “Swiss Pass” is checked, a control data record is created in each case. The control data is stored for 90 days. With regard to the control data, this storage is to be considered in light of the principle of “Privacy by Design”: According to SBB, this retention period is intended to enable the processing of any customer reactions after travel.
It is the responsibility of the Federal Data Protection and Information Commissioner (FDPIC) to check whether there have been any violations of the applicable data protection law and, if necessary, to ensure compliance with the regulations. As part of its supervisory activities, the FDPIC carries out checks every year, including on compliance with the data protection provisions for the “Swiss Pass”. The Association of Public Transport (VöV) as the publisher of the “Swiss Pass” and the SBB presented the data protection measures to the FDPIC in spring 2015. The formal examination by the FDPIC in the form of the “Clarification of the facts ‘Swiss Pass’ ” is currently still pending. VöV and its affiliated companies are cooperating unconditionally with the FDPIC in this review.
2 SBB assures that customer data is not traded at any time. Data may only be disclosed to third parties if specialized partners perform services on behalf of SBB. Data will only be disclosed to such specialized partner companies if no legal or contractual confidentiality obligation prohibits this. In addition, the handling of the transmitted customer data by the partner companies is contractually regulated, whereby the provisions in the Swiss Data Protection Act form a mandatory basis. The Federal Council is therefore unable to identify any unauthorized data processing by third parties.
3 The Federal Council is convinced that the FDPIC would take the necessary measures if it were to identify violations of the DPA.
4. it is true that the control process on the train is somewhat prolonged. The actual check takes only a very short time, but customers have to hand over their season ticket to the control staff. However, the control will be more precise with the “Swiss Pass”, as the control staff will immediately recognize invalid season tickets. It is the responsibility of the public transport companies to ensure that ticket checks are expedient and customer-friendly.
5 Even today, the level of control in public transport is not 100 percent. Given today’s traffic and passenger volumes, this is neither logistically feasible nor economically viable. Many years of experience show that a 100 percent level of control is not necessary to enforce the ticket obligation. Rather, it is important that checks take place on a comprehensive and regular basis. The transport companies constantly monitor the rate of passengers without a valid ticket. Should this increase contrary to expectations, the transport companies would be in a position to intensify controls.
6 Market presence and product names are a matter for the transport companies that are members of VöV. The Federal Council therefore sees no reason to intervene. The use of the anglicism in naming has advantages from the point of view of VöV: In multilingual Switzerland, it can in certain cases simplify communication at the national level without disadvantaging one language region. In general, anglicisms can increase the recognition value of products and offers more than a name in the respective national language. The name “Swiss Pass” was selected by a committee with representatives from all language and national regions.