Annual Report 2015/2016
Bern, 27.06.2016 - The Federal Data Protection and Information Commissioner (FDPIC) today publishes his 23rd Annual Report.
In relation to freedom of information, in 2015 federal authorities received more requests for access than in any other year since the Freedom of Information Act came into force in 2006 (597 in total). In 319 cases (54%), the authorities granted full access, and in 127 cases (21%) partial access. In 98 of the requests (16%), access was denied. Given the steady rise in access requests, it must be assumed that levels of awareness and use of the FoIA will continue to increase.
In its judgment of 6 October 2015, the European Court of Justice declared the «Safe Harbor» data protection agreement between the EU and the USA invalid. The FDPIC informed the Federal Council that the corresponding agreement between Switzerland and the USA could no longer satisfy an adequate data protection level. On 16 December 2015, the Federal Council commissioned the State Secretariat for Economic Affairs (SECO) to renegotiate the agreement in order to improve privacy protection. In the meantime, the EU has negotiated a new agreement («Privacy Shield»). Switzerland must now seek an equivalent agreement on data transmission to the USA if it is to have comparable standards of data protection to those in the EU.
For several years, there has been considerable pressure to make use of the OASI number («AHV-Nummer») for purposes unrelated to social insurance contributions and benefits, such as commercial register transactions. This however is contrary to the original intention of parliament and increases the risk of data protection infringements considerably. In 2015, the FDPIC therefore asked the Federal Council to make a policy decision. The FDPIC takes the view that the risk of a misuse of connected data can only be limited by having separate numbers for different sectors. The Federal Council took note of the discussion paper and instructed the Federal Department of Home Affairs (FDHA) to conduct a detailed study of how the OASI number should be used.
The FDPIC also expressed his opinion on various legislative bills in 2015. He criticised two aspects of the Intelligence Service Act: the very extensive powers that it is planned to give the Federal Intelligence Service (FIS) threaten the privacy of innocent citizens. In addition, there is the risk that exempting the FIS’s information gathering activities from the Freedom of Information Act (FoIA) may render the FIS’s practices completely intransparent in the public’s awareness. As a Federal Supreme Court judgment in the May of this year showed, the FIS already has the right to keep documents secret if their disclosure could jeopardise Switzerland’s security or the relations with other states. On the other hand, the FDPIC regards the multi-level control measures that are introduced in the new act as a positive move.
In relation to Federal Act of 6 October 2000 on the Surveillance of Postal and Telecommunications Traffic (SPTA), the FDPIC reiterated his recommendation that the current retention period of six months should not be extended. He also rejected the concerns of copyright collection agencies, which use SPTA data in order to take action against illegal uploads of films and music: these practices infringe the basic constitutional protected right to postal and telecommunications secrecy.
Supervisory and control activities
In 2015, the FDPIC carried out numerous data protection checks. In the public transport sector, he examined the data processing procedures relating to the Swiss Pass. He concluded that the SBB must regularly delete data obtained from checks on passengers and should not be permitted to retain it for 90 days, as is currently the case. He also conducted detailed investigations into the data collection points used by health insurance companies. Since 2015, these have acted as a link between medical service providers and the insurance companies in order to guarantee the protection of patients’ privacy. As the checks revealed, the vast majority of collection points comply with the data protection requirements.
The investigation into the Coop customer loyalty card (Supercard) was concluded satisfactorily. At the FDPIC’s suggestion, the company improved the information on shopping basket analyses that is given to cardholders. The FDPIC also persuaded Cablecom to refine its data protection provisions in connection with the «Horizon» TV box to make it easier for customers to find out how the company uses their data.
Automatic information exchange and political rights
In the global campaign to combat tax fraud and tax evasion, Switzerland is setting the new standards. The required legal principles are currently being drawn up. The FDPIC is committed to ensuring in its various opinions and meetings that taxpayers’ rights to privacy are not neglected in the process. In relation to political rights, the FDPIC examined the procedure for collecting signatures for popular initiatives and referendums. He pointed out that using data on signatories in order to send out information letters and similar materials is only permitted if the persons concerned have freely given their express consent.
Address for enquiries
Federal Data Protection and Information Commissioner