The new “high-risk profiling” under Art. 5 lit. g revFDPA raises some questions, especially what the law means by high risk and what the consequences of such profiling are.
High risk profiling is defined as follows:
Profiling that entails a high risk for the personality or fundamental rights of the data subject by leading to a linkage of data that allows an assessment of essential aspects of the personality of a natural person;
In essence, this is therefore profiling (within the meaning of Art. 5 lit. f revDSG), which leads to a personality profile. In the case of personality profiling under the current FADP, however, it is recognized that the existence of a personality profile cannot be assessed in the abstract, but actually only in the concrete use and with a view to the use in the individual case, e.g. according to the Judgment of the Federal Administrative Court in the case of Moneyhouse:
The question of whether a compilation of several data of a certain person results in a personality profile depends on the quantity and content of the personal information, in other words, whether and to what extent it allows value judgments to be made about the person concerned. Furthermore, a differentiation must be made according to the temporal dimension of the information. Personal data that is collected over a longer period of time and thus provides a biographical picture, as it were, by showing a development, a career of the person concerned, is more likely to qualify as a personality profile than data that represents a mere snapshot. Furthermore Under certain circumstances, the specific context in which the data is used will be a decisive factor in determining whether or not the qualified legal protection should apply. The term “personality profile” cannot therefore be defined in general terms; rather, the existence of a personality profile must be affirmed or denied in each individual case on the basis of the specific circumstances. (VPB 65.48 E. 2.b).
In my opinion, this must also apply to high-risk profiling. Consequently, high-risk profiling can only be present if its result is used or is intended to be used in the specific case in a way that does not jeopardize the qualified protection justifies. Furthermore, profiling can never be “high risk profiling” if it does not lead to a personality profile. If profiling results in a high risk for other reasons, a DIA must be performed, but it is by no means a “high-risk profiling” that requires, for example, explicit consent (if consent is required at all in the specific case).
Furthermore, “high risk” within the meaning of Art. 5 lit. g revDSG initially only means that a Perform DSFA is. This does not prejudge the outcome of the DSFA; it may well show that there is no high risk in the specific case. The “high risk” in high-risk profiling is therefore only high Gross risk. In contrast, the further legal consequences of high-risk profiling (any required consent must be explicit; a representative may have to be appointed in Switzerland) only take effect if the real risk (the net risk) is actually high in the specific case.
In this context, the Consequences of a failed DSFA significant: If the controller fails to perform a DIA, even though there is a high-risk profiling, he may be in breach of the corresponding obligation. However, because the actual (net) risk is decisive for the further legal consequences of high-risk profiling – i.e. apart from the DIA – the controller can also invoke this low net risk outside of a DIA; the omission of the DIA does not cut off this objection. Then, according to the general rule of Art. 8 of the Civil Code, the burden of proof for the high net risk lies with the claimant, because Art. 5 lit. g revDSG indicates a high gross risk, but does not contain any presumption or other reversal of the burden of proof for the net risk.