- The E‑DSG does not change the Swiss data protection principle: Profiling does not generally require consent; processing is permitted if no processing principles are violated.
- Explicit consent is only required if profiling violates a processing principle and there is no other justification.
Like reports Parliament adopted the e‑DSG in today’s final vote.
One question that accompanied the councils’ tough negotiations was that of the Consent for profiling. The FDPIC has already repeatedly taken the position (cf. here), the processing of particularly sensitive personal data and personality profiles is always only permissible with consent. The FDPIC probably wants this position to be understood as a recommendation, not as the result of mandatory law, and in certain situations it makes sense to obtain consent voluntarily – from a legal point of view, however, this position would clearly be wrong.
In the private sphere, the DPA and the e‑DPA conceptually follow the protection of personality under the CC. It is not unlawful to make negative comments about a person as long as the threshold of a violation of personality is not reached, and it is just as unlawful to process personal data – whatever the personal data and whatever the processing method – as long as the processing principles are not violated. The GDPR takes a different approach, the principle of prohibition, which is only breached selectively; but this approach is alien to Swiss law.
The E‑DSG has not changed this concept. This must also be mentioned because the debate in Parliament could sometimes have given the impression that, at least for high-risk profiling, things were different, that consent was always and fundamentally a prerequisite. This is wrong, and it is clear from the votes in the chambers that such a fundamental departure from the current system was not intended. As today, profiling does not require consent, either explicit or implied.
The history of the E‑DSG also shows this. In the Preliminary draft of the new DPA was still intended, profiling without explicit consent was unlawful:
Art. 23 Violation of personality rights
1 Anyone who processes personal data must not unlawfully infringe the personality of the persons concerned.
2 A violation of personality rights exists in particular:
[…]d. through Profiling without explicit consent of the person concerned.
If the Federal Council really intended at the time to prohibit profiling without consent (which is not certain; it was not clear from the explanatory report whether the Federal Council was aware of the scope of its proposal), it would in any case have done so in the right place, namely in the provision on personality violations. However, this request met with broad resistance in the consultation, and this provision was no longer found in the draft FADP. It is thus clear that the ban on profiling without consent was proposed, discussed and dropped. It would take some contortions to read it back into the law (even if some participants in the consultation said at the time that there was no need for this particular prohibition because it was already included in the principles).
As mentioned above, it is not clear from the parliamentary debate that profiling always requires consent. It is true that there are statements that could be read in this way with a correspondingly good – or bad – will, such as the following:
- SR Barrel, AB 2019 S 1240:
“It is undisputed that there must always be explicit consent for the processing of particularly sensitive personal data.”
- NR Fluri, AB 2019 N 1787:
“We propose that you require explicit consent in paragraph 7 for the processing of particularly sensitive personal data […] Minority I (Wermuth) requires explicit consent for profiling that entails a high risk to personality or fundamental rights.”
However, this is not how I understand these statements. On the contrary, there was obviously confusion in the councils as to the concept of the DPA. And the voices that do not assume a fundamental consent requirement are much clearer, especially those of BR Sommaruga:
- BR Sommaruga, AB 2019 N 1788:
“Neither in the current data protection law nor in the draft of the Federal Council is consent required in principle for the processing of personal data; thus, no so-called opt-in system applies. Nevertheless, consent plays an important role for private data processors. Consent can be used to justify data processing that violates personal rights. In this case, the consent must meet various requirements: Consent must be given voluntarily and unambiguously after adequate information has been provided; and if particularly sensitive personal data is processed or profiling is carried out, consent must be explicit.”
- NR Wormwood, AB 2019 N 1785:
“It is already about the special case – if you will – where consent is necessary at all. This concerns, for example, consent under Article 27(1), subject justification grounds for violations of personality – then just when you consent to the violation of personality accordingly, which is then no longer one.”
- SR Barrel (on 23 September 2020):
The EU General Data Protection Regulation provides that any processing of personal data is unlawful unless the data subject has consented to the data processing or there is another legal ground. The conception in our law is the other way around. Data processing is generally permissible unless there is an exceptional circumstance.
And it is also clear from the message that no departure from the current system was intended with the e‑DSG:
Increased requirements are also placed on consent for profiling, as is already the case under current law for the processing of personality profiles.
This should make it clear:
- The Wording of the FADP as well as the e‑DSG suggests that consent is not always required for data requiring special protection and for profiling or the processing of personality profiles. The relevant provision is structured in the same way in each case: “In [or for] the processing of [particularly sensitive personal data/personality profiling/profiling], consent must be explicit.” This is different from “The processing of […] requires explicit consent”. and makes it clear that a possible consent requirement stipulated elsewhere is taken up and specified here, but is not made a statute.
- From the Systematics the same results in two respects: Firstly, the expressiveness is not mentioned – like other prohibition principles, such as processing against the will of the data subject – with the personality violations (in Art. 12 DPA or Art. 26 E‑DSA), but at the front, in the general provisions. Secondly, it follows from the justification provisions (Art. 13 DPA and Art. 27 E‑DPA) that consent is on an equal footing with the other justification grounds. To allow only consent for certain processing, but no other grounds for justification, would be alien to the FADP.
- The Legislative History shows that the prohibition of profiling without consent was considered but not included in the law.
- The votes in the Consulting make it clear that the councils did not want to introduce a prohibition principle for profiling.
It therefore remains the case that profiling, whether low-risk or high-risk, does not require consent unless it violates a processing principle.
Conversely, a Consent for profiling then requiredwhen
- a Processing principle violated becomes, e.g.
- the principle of transparency (which, however, cannot already be derived from a breach of the duty to provide information under Art. 17 E‑DSG, because Art. 17 E‑DSG is neither a processing principle nor a concretization of the principle of transparency),
- the principle of purpose limitation (whereby profiling as such is not a purpose, but a processing modality, a “means” of processing. Anyone who carries out new profiling for a previously permitted purpose therefore does not violate the purpose limitation principle),
- the principle of proportionality (whereby proportionality is based on the purpose of the processing; profiling is therefore proportionate insofar as it is suitable and necessary for a purpose, even if it is comprehensive – e.g. for the purpose of marketing personalization; the purpose, for its part, is not subject to the principle of proportionality, but to that of economic freedom);
- and at the same time no other justification exists.