- The Federal Council rejects a special criminal liability for the publication of unlawfully obtained data (data theft); existing law is generally sufficient.
- The FADP and SCC already cover the protection of particularly sensitive personal data; new criminal offenses (e.g. identity misuse) address criminal further use.
- The permissibility of publishing illegally obtained information requires a case-by-case balancing of interests between the public interest and the protection of privacy.
Postulate WAK-SR (23.4322): Handling the further use of illegally acquired data
Submitted text
The Federal Council is requested to show in a report how the Legal protection of sensitive personal data before publications of this data by social and private media can be improved and at the same time a legitimate public interest in clarifying systematic violations of the law can be taken into account. It should be examined whether the publication of unlawfully collected data should be made a criminal offense (similar to a ban on data theft).
In particular, it must be examined whether the Criminal liability for the publication of personal or other sensitive data once obtained or acquired unlawfully should be introduced and what the advantages and disadvantages of such a regulation would be. Such a regulation should continue to enable the work of the prosecution authorities, but it should also protect the persons to be protected from prejudgement by the public and generally protect their personal rights.
It is also to be examined in which cases illegally obtained information of all kinds may be published at all, or in which circumstances this is not permitted. public interest over private interest, that the illegally obtained data may not be published and in which cases criminal liability could be waived.
Justification
In principle, personal data should generally remain protected, even if it has been acquired illegally at a preliminary stage and publication is preceded by a violation of the law. This can be the case with a physical theft or through cyber attacks which take precedence over publication in a social or private medium.
If a company systematically violates the law (e.g. violation of the ban on corruption or a systematic violation of money laundering legislation), there is a public interest in having general knowledge of this, but not a public interest in the illegally acquired personal data. This data can be made available to the criminal prosecution authorities in order to initiate proceedings in accordance with the rule of law.
Sensitive information and personal data are increasingly coming into the possession of third parties through upstream illegal activities (theft by employees or cyber attacks, etc.). In these cases, it should continue to be ensured that proceedings are conducted in accordance with the rule of law against violations of the law, but that public prejudgement can be prevented in the future.
Opinion of the Federal Council of 29.11.2023
The introduction of criminal liability for the further use of unlawfully obtained or acquired data was already the subject of the Motion 22.4325 Hurni“It is important to punish the theft of digital data”. In its statement of 15.2.2023 on this matter, the Federal Council stated that the applicable substantive legal situation is in principle sufficient to record any further use of illegally acquired data. It is also convinced today that the concept of receiving stolen goods in accordance with Article 160 of the Swiss Criminal Code (SCC, SR 311.0) relates to property and protects the right to restoration of the lawful ownership. This concept, which is characterized by property law, cannot be transferred unquestioningly to the logic of any further use of data. There are divergent protection requirements for property on the one hand and for data and information on the other. The Federal Council has therefore already answered the question of whether the publication of illegally collected data should be specifically criminalized (similar to a ban on data theft) in the negative.
The Swiss Criminal Code and the Federal Act on Data Protection (FADP, SR 235.1) also already cover constellations in which the publication of certain data (by social or private media, but also in general) is prohibited. Specific important categories of data are therefore already protected by law. For example, any processing and therefore also the transmission or disclosure of personal data (Art. 2 FADP) is regulated by law. In addition, the unauthorized procurement of personal data is also covered by core criminal law in Article 179novies StGB. This protection covers all particularly sensitive personal data, which in principle also includes sensitive personal data such as health data (Art. 5 lit. c no. 2 FADP). As part of the revision of the FADP, a new criminal offense against identity misuse and theft of a corresponding identity (Art. 179decies StGB) was also introduced on 1.9.2023, which covers the criminal further use of data. Consequently, criminal liability with regard to the publication and use of data is already possible today and depends primarily on which data and which protection interests are affected in a specific case.The question of in which cases illegally obtained information of all kinds may be published, or in which circumstances the public interest outweighs the private interest in not publishing the illegally obtained data, cannot be answered in a generalized and abstract manner. Within the framework of a specific procedure, the applicable law already allows the interests of the public interest in publication to be weighed up against the private interest of the person concerned in confidentiality, which is worthy of protection. The legal assessment of the interests in question depends largely on the individual case. In addition, existing special or cantonal legal provisions or, for example, statutory confidentiality or secrecy obligations such as professional secrecy (Art. 321 StGB, Art. 321bis StGB), postal and telecommunications secrecy (Art. 321ter StGB), business and manufacturing secrecy (Art. 162 StGB) or banking secrecy (Art. 47 Banking Act, SR 952.0) may be relevant for weighing up interests. Overall, the question of the permissibility of publication must therefore be answered in each case against the background of the specific circumstances and by the competent authorities.
In view of the existing legal situation described above, the Federal Council does not see any significant added value in reporting on the issues of criminalizing the use of illegally obtained data and the permissibility of publication for overriding interests. It continues to follow international developments in this area closely, particularly in the context of the ongoing negotiations with Switzerland on a UN convention on cybercrime.