Postu­la­te Schwa­ab (13.3806): Pro­tec­tion of pri­va­cy by default

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

Take-Aways (AI)
  • Intro­duc­tion of “pri­va­cy by default”: Data pro­tec­tion-fri­end­ly default set­tings should ensu­re maxi­mum pro­tec­tion of per­so­nal data by default.
  • Shif­ting the obli­ga­ti­on: Data pro­ce­s­sing com­pa­nies must offer the hig­hest level of data pro­tec­tion as stan­dard; users must actively con­sent to fur­ther processing.
  • Legal obli­ga­ti­on: Data pro­tec­tion law should obli­ge com­pa­nies to pro­vi­de tech­ni­cal default set­tings and simp­le acti­va­ti­on of maxi­mum protection.

Postu­la­te Schwa­ab (13.3806): Pro­tec­tion of pri­va­cy by default
Writ­ten off (25.09.2015)

Sub­mit­ted text

The Fede­ral Coun­cil is ins­truc­ted to exami­ne whe­ther it is appro­pria­te to amend data pro­tec­tion legis­la­ti­on to intro­du­ce the con­cept of data pro­tec­tion-fri­end­ly default set­tings (“pri­va­cy by default”).

Justi­fi­ca­ti­on

Num­e­rous com­pa­nies, espe­ci­al­ly social net­works, that coll­ect per­so­nal data only offer a high level of pro­tec­tion for this data via leng­thy and com­pli­ca­ted set­tings. In addi­ti­on, they con­stant­ly chan­ge their gene­ral terms and con­di­ti­ons with regard to data pro­tec­tion and thus force their users to adjust their pri­va­cy set­tings, which is always only pos­si­ble via almost end­less detail­ed set­tings. So, if you want to enjoy maxi­mum data pro­tec­tion, you have to regu­lar­ly adjust your pri­va­cy set­tings yours­elf. Sin­ce this is incre­di­bly tedious, many users even­tual­ly give up tired of the struggle.

The con­cept of data pro­tec­tion-fri­end­ly default set­tings put for­ward by EU Com­mis­sio­ner Vivia­ne Reding turns the tables in favor of con­su­mers. Anyo­ne who pro­ce­s­ses per­so­nal data must gua­ran­tee maxi­mum data pro­tec­tion as stan­dard. The aim is to pre­vent per­so­nal data from being misu­s­ed and from being used for pur­po­ses for which the per­son con­cer­ned has not given his or her consent.

If a user is satis­fied with a lower level of pro­tec­tion, he or she must take action and allow any data pro­ce­s­sing that goes bey­ond that to which he or she ori­gi­nal­ly con­sen­ted. If the gene­ral terms and con­di­ti­ons or ano­ther agree­ment pro­vi­de for a use of per­so­nal data that requi­res the con­sent of the data sub­ject, it is assu­med that this con­sent is refu­sed unless it has been express­ly given.

Pri­va­cy pro­tec­tion by means of pri­va­cy-fri­end­ly default set­tings (“pri­va­cy by default”) dif­fers from pri­va­cy pro­tec­tion by means of built-in data pro­tec­tion (“pri­va­cy by design”) in that it only con­cerns con­sent to data processing.

Data pro­tec­tion legis­la­ti­on should obli­ge all indi­vi­du­als and com­pa­nies that pro­cess per­so­nal data to ensu­re maxi­mum data pro­tec­tion via the tech­ni­cal default set­tings. Tho­se who pro­cess per­so­nal data should also ensu­re that the data sub­jects can acti­va­te maxi­mum pro­tec­tion quick­ly and easily.

<

h1>Federal Coun­cil motion

<

h1>

The Fede­ral Coun­cil pro­po­ses that the postu­la­te be accepted.