Kt. ZH: Com­ple­te­ly revi­sed IDG refer­red to the can­to­nal council

In its mee­ting of July 5, 2023, the Govern­ment Coun­cil of the Can­ton of Zurich sub­mit­ted the pro­po­sal on the total revi­si­on of the Infor­ma­ti­on and Data Pro­tec­tion Act (IDG) to the Can­to­nal Coun­cil. adopted. The annex con­ta­ins the draft of the new IDG and the report of the govern­ment coun­cil, i.e., to a cer­tain ext­ent, the message.

The Govern­ment Council’s report high­lights the fol­lo­wing inno­va­tions, among others:

• Struc­tu­re of the IDGThe com­mon fea­tures of data pro­tec­tion and the prin­ci­ple of publi­ci­ty are now regu­la­ted in a com­mon sec­tion, while the spe­cial fea­tures are regu­la­ted in sepa­ra­te sections.
• A big topic was the issue of Arti­fi­ci­al intel­li­gence. The govern­ment coun­cil has incor­po­ra­ted cor­re­spon­ding con­cerns sel­ec­tively, but has refrai­ned from an over­ar­ching regu­la­ti­on, becau­se AI appli­ca­ti­ons are used more wide­ly in the can­ton (cf. the RRB No. 1059/2021). “ ‘Arti­fi­ci­al intel­li­gence’ per se does not exist”; rather, this term encom­pas­ses a wide varie­ty of pro­ce­s­ses, tech­no­lo­gies and con­cepts. Gene­ral prin­ci­ples of data pro­tec­tion and also data secu­ri­ty requi­re­ments app­ly; at least the risk-based approach is empha­si­zed more stron­gly. Accor­ding to a stu­dy, com­pre­hen­si­ve regu­la­ti­on would also requi­re chan­ges to the Admi­ni­stra­ti­ve Justi­ce Act (VRG), for exam­p­le with regard to pro­ce­du­ral gua­ran­tees. Pro­fil­ing is also regu­la­ted, which requi­res a legal basis in a law. Thus, “AI appli­ca­ti­ons in con­nec­tion with the pro­ce­s­sing of per­so­nal data by public bodies are lar­ge­ly absor­bed”; accor­din­gly, the­re is no need to pro­vi­de for new legal instru­ments in the IDG. Fur­ther­mo­re, to the ext­ent that AI is used in the can­ton, the HERMES pro­ject spe­ci­fi­ca­ti­on alre­a­dy requi­res a cor­re­spon­ding legal review at a fair­ly ear­ly stage. Howe­ver, the­re are sel­ec­ti­ve regu­la­ti­ons. For exam­p­le, public bodies are requi­red to make publicly available a list of the algo­rith­mic decis­i­on-making systems they use that have an impact on the fun­da­men­tal rights of individuals.
• Dis­hes will no lon­ger be gene­ral­ly exempt from the appli­ca­ti­on of data pro­tec­tion law becau­se this would vio­la­te the Schen­gen Direc­ti­ve. Howe­ver, they will be exempt from the appli­ca­ti­on of the prin­ci­ple of public access.
• The prin­ci­ple of publi­ci­ty is to be streng­the­ned. Ano­ther new fea­ture is the func­tion of a Repre­sen­ta­ti­ve for the prin­ci­ple of publi­ci­ty would be intro­du­ced, which would be per­for­med by the data pro­tec­tion offi­cer in addi­ti­on to his or her own staff. This would requi­re an esti­ma­ted two addi­tio­nal full-time posi­ti­ons. The cost and fee regu­la­ti­ons for access to infor­ma­ti­on will also be adjusted.
• New are regu­la­ti­ons on govern­ment data (Open Govern­ment Data) must be crea­ted. Open govern­ment data must first be iden­ti­fi­ed, descri­bed with meta­da­ta, and cataloged.
• New is a regu­la­ti­on for Pilot test­ing ana­log­ous to the DSG.
• With the Legal basis it shall be suf­fi­ci­ent under cer­tain con­di­ti­ons if a law assigns a task for the ful­fill­ment of which the pro­ce­s­sing of spe­cial per­so­nal data is indis­pensable. In addi­ti­on, con­sent may be suf­fi­ci­ent as a legal basis for the pro­ce­s­sing of spe­cial per­so­nal data, also under cer­tain conditions.