26th Annual Report 2018/2019: Switzerland must maintain its level of data protection
Berne, 18.06.2019 - The FDPIC expects that the Federal Council and Parliament will continue to guarantee the Swiss population a level of data protection that is in line with its European neighbours by signing the Council of Europe Convention 108 in the near future and swiftly bringing to a close the complete revision of the Data Protection Act. In the area of data protection supervision, the Commissioner is focusing on the federal security services and the company SwissSign. With regard to the Freedom of Information Act, the consolidation process established last year will continue.
Demand for an imminent end to a difficult period of transition
The complete revision of the Federal Act on Data Protection (FADP) entered the legislative process with its presentation by the Federal Council with an accompanying report to the Federal Parliament in September 2017. Yet the revised act has still to be debated in both chambers of Parliament. However, for the past year, the new General Data Protection Regulation (GDPR) has applied throughout the European Union and European Economic Area (EEA). The ongoing period of transition pending the entry into force of the revised FADP continues to pose a challenge. Data protection authorities in the EEA states have been strengthened in terms of personnel and are now using their new powers to issue decisions and impose sanctions; meanwhile, in its dealings with the private sector and most federal authorities, the FDPIC only has the power to make recommendations provided for in the FADP of 1992. His resources have also remained essentially unchanged since 2005, a situation which led the EU Commission in its Schengen evaluation in March 2019 to assess the control density and resources of Switzerland’s federal data protection authority as inadequate. In the spring of 2019, the Commission began a general evaluation of level of data protection in Switzerland. In this context, it would be advisable for the Federal Council to make use of the fact that the updated Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) has been open for signature since October 2018. The European Commission has repeatedly pointed out that the ratification of the updated Convention is a decisive criterion in assessing a country’s level of data protection as adequate.
Schengen Data Protection Act improves supervision of the federal security authorities
The Schengen Data Protection Act (SDPA), which came into force on 1 March 2019 and which regulates the processing of personal data in relation to police matters, provides the FDPIC with additional duties and powers. The Commissioner now expects the Federal Council to make available the human resources needed to enable to set a corresponding priority in the supervision of the federal security authorities.
In this connection, the FDPIC is also monitoring the worldwide trend among security services of intensifying the processing of biometric data, using technologies such as DNA profiling, facial recognition and voiceprints. The FDPIC has called for the introduction of related legislation that is sufficiently specific and proportionate.
In relation to this, the draft Federal Act on Police Measures to Combat Terrorism (PMT) does not set a good example. In the Commissioner's opinion, this act is not sufficiently specific in respect to the provisions on data processing and will aggravate the existing confusion of special legislative acts in the area of federal law on police matters.
E-ID and SwissSign
At the hearings in the legal affairs committees of both chambers of parliament, the FDPIC saw his task to promote for the highest possible level of data protection irrespective of the political decision of the parliament in favour of a purely state or only partially state solution. The Commissioner has also called for various improvements to the E-ID Act. The National Council and the Council of States have made the prior consultation of the FDPIC by the licensing authority a requirement for recognition under the law. Furthermore, the FDPIC insisted that the report to the Federal Parliament be amended to make it clear that E-ID should only be used where secure identification in business transactions is absolutely necessary. For the countless online consumer transactions or purchases of simple services where this is not necessary, it must be ensured that the E-ID Act does not create new identification obligations in analogue or electronic business transactions. The two chambers of parliament have amended the purpose article of the Act accordingly.
With regard to the supervision of SwissSign's activities, which are associated with considerable data protection risks, the FDPIC aims to ensure that the operational data protection now in use transparently highlights the risks related to single sign-in solutions. SwissSign should be required to counteract these risks, particularly in view of the fact that they want to be approved as a provider under the E-ID Act, through exemplary protective measures and by investing in data protection-friendly technologies.
The Federal Administration becomes more transparent
The FDPIC notes that the federal authorities are becoming increasingly more consistent in applying the Freedom of Information Act (FoIA). In particular, the number of requests for access granted in full is keeping pace with the rising number of requests overall, while the percentage of requests for access that are refused in every respect has steadily decreased over the years. In the 2018 reporting year, there was a 9.5 per cent increase in the number of requests for access, with 636 requests received compared with 581 in 2017.
In addition, the Commissioner generally notes a more active policy on the part of the federal administration of providing information, which is probably largely attributable to the progress made in implementing the FoIA. This trend, together with the increased number of consensual solutions and further efficiency improvements in the conciliation procedure before the FDPIC ultimately allowed the Federal Council to dispense with a revision of the FoIA in May 2019.
The full report of the 26th FDPIC Annual Report 2018/2019 is available as digital version on www.edoeb.admin.ch.
Address for enquiries
Media office FDPIC,
Federal Data Protection and Information Commissioner