16th Report on Activities
Bern, 29.06.2009 - Over the course of last year, the FDPIC (Federal Data Protection and Information Commissioner) dealt with a number of issues which included: concluding a safe harbor agreement with the USA; observing the developments of modern network-based video surveillance systems; carrying out supervisory and information activities in conjunction with the implementation of the Schengen agreement; holding discussions on the implementation of a pay-as-you-drive-system and the installation of black boxes in motor vehicles; issuing a recommendation on a tenant verification service; and giving his opinion on the revision of the debt collection and bankruptcy laws. During the period under review, which ran from 1 April 2008 to 31 March 2009, the FDPIC focussed a great deal of attention on the question of privacy and the Internet. He outlined the conditions under which an online assessment platform should operate; he identified the dangers associated with social networks, and advised users, operators and the authorities on how to ensure the conformity of such services with data protection requirements; and he drafted an opinion on the protection of privacy in news published on the Internet. In his 16th annual report, the FDPIC advises pension funds on the correct handling of personal pension fund ID cards, sets out his position with regard to the disclosure of personal data to third parties by associations and organizers of sports events, and provides an annual assessment of requests for access to records, requests for mediation, and recommendations made in the context of the Transparency Act.
The transmission of personal data to countries which do not provide an adequate level of data protection may only be authorized under specific conditions. The USA is one such country. In order to simplify data transfers between Switzerland and the USA, the FDPIC and the State Secretariat for Economic Affairs (SECO) negotiated a Safe Harbor Agreement with the USA. As a result, the privacy rights of the persons concerned have been strengthened.
Technical progress allows video surveillance to be used for increasingly complex applications, but it also offers better privacy protection. Today, hundreds of cameras across the entire globe can be used to distribute images to databases and a large number of users. By encoding or encrypting the images, providing physical protection against unauthorized access and splitting the deciphering key into separate parts for a more effective dual control principle, compliance of the purposes of video surveillance systems with the data protection requirements is ensured.
After the evaluation by the European Union of Switzerland’s data protection regulations, the FDPIC began developing his information and supervisory activities within the framework of the Schengen agreement. He expanded his cooperation with the cantonal data protection authorities, carried out an inspection of the Swiss diplomatic representation in the Ukraine, provided information on the Schengen Information System (SIS) and made sure that users were conscious of the need to use it judiciously. The FDPIC has also been working on the implementation of the measures recommended by the EU.
Car insurers are keen to tailor their offers to the individual needs of motorists. In order to do so, they evaluate data about the condition and the movements of the vehicle. Increasingly, however, they also collect data which are not event-related, for example driver behaviour recorded on a daily basis. The new technology available makes it possible to collect unlimited amounts of data on people’s movements which can then be used for pay-as-you-drive systems. From a data protection perspective, there are inherent risks involved. The scope, storage and use of such data must be compliant with the principles set out in the Data Protection Act.
In the year under review, the FDPIC issued a number of recommendations concerning an agency that provides credit rating information on tenants. The purpose of such services is to help landlords reduce the risk of a loss of income owing to the non-payment of rent by bad tenants. The way the data are processed, however, has numerous shortcomings. Last year, the provider of the tenant screening service has already introduced a number of changes into his system. He has now, following thorough discussions, accepted the FDPIC’s recommendations and agreed to his proposals of alteration.
Data from debt collection registers are extremely sensitive. The FDPIC has thus produced an opinion on the need for a revision of the Swiss Debt Enforcement and Bankruptcy Law, and he has called for the period of notification to be adapted. Currently, with few exceptions, data from the debt collection register are held for five years even after payment has been effected or the enforcement order has been withdrawn. The FDPIC suggests the introduction of a staggered right of inspection. This would create an incentive for people to pay their debts, since those who settle will have their financial reputation restored after one year.
Considerable parts of our lives today take place via the Internet. It constitutes a medium that is accessible from any part of the world where nothing is forgotten. This has prompted the FDPIC to take a closer look at some of the individual issues relating to this change. For example, he has set out the conditions under which an online assessment platform for services or professional groups may be operated, highlighted the risks for operators and users, and recommended measures to reduce the possibility of privacy rights being infringed. Social networks, which have come into widespread use, also represent a number of dangers to which the FDPIC has drawn attention. The data concerning individuals who reveal personal information about themselves on the Internet will end up in countless databases, including private ones, and in the process they lose control over their own personal data. The operator of such pages are able to combine this personal data with metadata from which they can compile a very detailed and profitable personality profile. The FDPIC advises users, service providers and the authorities on the way such services may be provided in a manner that respects data protection requirements. News reporting on the Internet is a subject that has occupied the FDPIC on several occasions over the past year. When participants at an event can be clearly identified, there may be a infringement of privacy rights. It all comes down to the type of reporting: if the text and pictures focus on aspects that are of public interest (such as the type of event or occurrences during the event), and provided that the privacy of the individuals present is not infringed, there are no concerns. However, the FDPIC has underlined the fact that it is illegal to portray or to severely criticize individual participants without their authorization if there is no overriding public interest.
Salaried employees who are insured in a pension fund are regularly sent a new personal ID card. The employer does not need the information contained on the card, which is why the FDPIC believes that pension funds that send personal ID cards to the employer for distribution to their employees are not acting within the data protection law. As no agreement has been reached on this subject with the pension fund that is in breach, the FDPIC will be drafting a recommendation.
Associations or organizers of sports events may not pass on data regarding members or participants without their authorization. The use of personal data that may be required for the event, and which is recognizable as such for the participants, is allowed (start times, classification lists, times etc.). The transfer of such data to sponsors for marketing purposes, or to photographers and other third parties, is only acceptable with the authorization of the persons concerned. The latter must also have the possibility of objecting to their data being transferred.
The transparency principle has now been in effect for three years. Not only does the FDPIC take stock of developments regarding requests for access to files, as well as past recommendations and cases where he has been called upon to mediate in his 16th Annual Report. He also commissioned an external evaluation on the implementation, implementation costs and the effectiveness of the Transparency Act. The results of that study will be presented during the press conference on 29 June 2009.
Further issues addressed in the 16th annual report can be found in the summary attached to this press release.
Publisher
Federal Data Protection and Information Commissioner
https://www.edoeb.admin.ch/edoeb/en/home.html
