Indians generally respect the privacy of others

Subject area human rights and economy

Right to privacy in the digital age

Everyday life on the Internet and in social networks - a challenge for privacy and data protection

Significance in practice

  • In the last ten to twenty years the digital world has developed rapidly and is regularly one step ahead of data protection.
  • The processing of personal data always represents an invasion of privacy. In order to protect privacy, sufficient legal regulations must be created to justify such encroachments. Rights that apply offline are also protected online.
  • Increasing fear of terrorist attacks is causing states to expand the digital surveillance of personal data.
  • Efforts are underway at both national and international levels to strike a balance between protecting privacy and protecting public safety.
  • Although the primary duty of protection lies with the state, companies can also make an important contribution to the protection of privacy.

Internet habitat

Human rights apply in virtual, digital space as well as in real life. Particularly affected in a digital environment are the right to privacy (Art. 13 BV, Art. 8 ECHR, Art. 17 UN Pact II, Art. 12 UDHR) and freedom of expression and information (Art. 16 BV, Art. 10 ECHR, Art. 19 UN Pact II, Art. 19 UDHR). Thanks to technological developments, we now communicate more easily, faster and more frequently than in the past. The possibilities to find out about any topic and to exchange ideas are almost limitless today, which can have a beneficial effect on participation in the democratic process.

The right to privacy and the right to informational self-determination, on the other hand, can be jeopardized by technological progress. Well known is Facebook, a social network in which personal data is stored. Based on this data, targeted advertising is then placed on the respective user accounts. Other examples are incompletely anonymized people on Google Street View or the revelations by whistleblower Edward Snowden.

Big data

Thanks to the latest technologies, it is now possible to collect, store and access a very large amount of data from various sources. “Big data” describes the combination of large data collections with their systematic analysis. The Federal Data Protection and Information Commissioner (FDPIC) names four characteristics in particular that make up big data:volume), high speed (velocity), Variety of data (variety) and the added value that should be obtained through the data analysis (value). The term often used Data mining In contrast, it refers to the mere search for information and thus a preliminary stage of big data. Big data offers completely new possibilities on various levels. In the social sciences and in product market research, for example, the behavior of Internet users can be observed and analyzed thanks to big data. Online businesses use big data to optimize their services. In the area of ​​public security, the fight against terrorism today relies largely on personal data from the Internet. However, according to the FDPIC, the use of big data is in conflict with the fundamental principles of data protection.

Mass surveillance and data protection

In Switzerland, the Data Protection Act (DSG) regulates the handling of personal data; it aims to protect the personality and the fundamental rights of persons about whom data is processed (Art. 1 DSG). According to Art. 3 let. a DSG is all information that relates to a specific or identifiable person, personal data. According to the Federal Supreme Court, this also includes IP addresses, provided that the owners can be determined in a specific individual case (BGE 136 II 508). Particularly sensitive data include information about religious or political views, about health or privacy, or about criminal prosecutions. With regard to data protection, new applications and devices that save health information from people directly on smartphones or in a cloud are currently very controversial.

Big data is in a tense relationship with the basic principles of the Data Protection Act, especially with regard to earmarking and data economy. Because when it comes to collecting big data, it's not one targeted Data processing, but about a Mass surveillancethat is automated using mathematical algorithms. According to the FDPIC, sufficient anonymity is not guaranteed because the combination of different (anonymised) data allows conclusions to be drawn about people. Most internet users are not aware that their details may be stored and processed, nor do they know about the purpose of the data collection. This is problematic because the acquisition of personal data usually requires the consent of the individuals concerned. The applicable general terms and conditions (GTC) are often not only very extensive, but also difficult to understand for users. Another difficulty is the unpredictability of technological developments. Data that is still anonymous today may be assigned to a person tomorrow.

The acquisition of personal data can not only violate the right to privacy, it can also have a deterrent effect on the exercise of other human rights, such as freedom of expression and information. If you have to assume that your data is being monitored, you may forego using the services in question. If this waiver is made involuntarily, because there are no safe alternatives, this can ultimately lead to a restriction of the freedom of information and freedom of expression. Last but not least, international minimum standards for data protection legislation aim to prevent or at least reduce such restrictions.

International aspirations

In December 2013, the UN General Assembly stated that due to the global and open nature of the Internet and the rapidly advancing information and communication technologies, the private sphere, but also the freedom of expression of every individual, were increasingly endangered (A / RES / 68/167) . For this reason, the General Assembly emphasizes that all rights that apply offline must also be protected online to the same extent. She hired the Office of the United Nations High Commissioner for Human Rights (OHCHR) to write a report on protecting and promoting the right to privacy in the digital age, which was presented on June 30, 2014 (A / HRC / 27/37). The OHCHR concludes that international human rights legislation provides a clear framework for ensuring the right to privacy. In particular, it addresses Article 12 of the Universal Declaration of Human Rights and Article 17 UN Pact II, both of which state that no one may be exposed to arbitrary or unlawful encroachments on their privacy. The same right is anchored in Article 8 of the European Convention on Human Rights and in Article 13 of the Swiss Federal Constitution. According to OHCHR, adequate protection of privacy in the digital age and its legal anchoring is a major challenge for the international community and the individual countries. The UN Human Rights Council therefore decided at the end of March 2015 to appoint a UN special rapporteur on the right to privacy (see media release of March 26, 2015).

At the international level, the OECD Guidelines for Multinational Enterprises are also noteworthy. You mention the protection of privacy in the chapter on consumer interests. Companies should “respect the right of consumers to the protection of their privacy and take appropriate measures to ensure the security of personal data that they collect, store, process or disseminate”. If a company does not adhere to this provision, those affected can report to the National Contact Point, which every OECD member state and every third country that has adopted the OECD Guidelines must set up. The contact point can propose mediation and arbitration procedures and, depending on the situation, make recommendations (cf. for the entire SKMR newsletter article from February 1, 2012).

Developments in Europe

In 1995, the EU data protection directive introduced minimum data protection standards and a right to delete data (95/46 / EC). A comprehensive revision of the data protection regulation in the EU is currently being carried out based on the drafts for a new General Data Protection Regulation of January 2012 (COM (2012) 11 final) and a new directive on data protection in the context of criminal prosecution (COM (2012) 10 final. ) discussed. The revision aims to ensure, among other things, that citizens have control over their data, especially on the Internet. In order to take account of new technological developments, the e-privacy directive (2002/58 / EC) was supplemented in 2009 by the so-called cookie directive (2009/136 / EC). Cookies store user names, passwords or other preferences, for example, which can be useful for users. However, cookies can also be used to analyze the surfing behavior of Internet users and create user profiles. With the cookie policy, the InformedConsentSolution introduced. The users should be able to consent to the storage of data by cookies after they have been informed in detail about this.

In a preliminary ruling, which is central to data protection, the European Court of Justice (ECJ) ruled that Directive 2006/24 / EC on the so-called retention of data is invalid. The Directive gave state authorities the right, under certain conditions, to “reserve” the data generated or processed in the provision of publicly available electronic communications services or public communications networks, in the event that they are needed. The Court concluded that the directive was too imprecise given the seriousness of the invasion of privacy. In addition, private providers or operators would not ensure a high level of protection, since the directive allows them to take economic considerations, in particular costs, into account when implementing security measures. In addition, the irrevocable destruction of data after their retention period has expired is not guaranteed (judgment C-293/12 of April 8, 2014).

One month later, in the Google case, the ECJ affirmed a “right to be forgotten” based on the applicable EU data protection law. According to this, a person may have the right to have information about them not appear in the hit lists of a search engine. This is the case, for example, if the listing in the result list no longer corresponds to the purpose of data processing by the search engine operator, goes beyond this or is no longer necessary. In the specific case, the plaintiff wanted to prevent a Google search for his name from appearing in the list of results about a property seizure sixteen years ago due to unsettled social security claims. The Court concluded that, in this case, the plaintiff's interest in protecting his privacy took precedence over Google's economic interests and that there was no overriding public interest in including this information. In such cases, the operator of the search engine does not have to delete the personal data, as is often - incorrectly - reported, if this is requested by the person concerned, but rather remove the corresponding links from the list of results (judgment C-131/12 of May 13, 2014) . As a result of this judgment, the EU data protection group - as the body responsible for monitoring EU data protection law - passed criteria for the attention of the national data protection officers, which specify the requirements for the assertion of the "right to be forgotten" (14 EN / WP 225 from 26.11 .2014).

In addition to the protection of privacy in the ECHR, the central instrument for data protection in the Council of Europe is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1985 (Data Protection Convention). To date, 45 of the 47 Council of Europe members have ratified the convention. It came into force in Switzerland in 1998. However, the data protection convention is not tailored to the new developments in data processing technology and is therefore now being revised. Among other things, the right to data protection in the sense of an indispensable fundamental right and the mechanisms for implementing and enforcing the convention are to be strengthened.

Data protection obligations of the states

States not only have the duty to respect and guarantee human rights, they also have the task of protecting individuals from human rights violations by third parties. In the area of ​​data protection, the state's duty to protect applies in particular when private companies procure personal data for their own purposes and thereby possibly violate the privacy of users. States must take appropriate measures to prevent and punish such violations. This can be done through legislation (data protection laws), through the provision of complaint mechanisms, through criminal prosecution, etc. This state duty to protect is stated in the UN Guiding Principles on Business and Human Rights for human rights violations emanating from private companies, reaffirmed and specified. While states are not directly responsible for a violation by a third party, they are violating their duty to protect human rights if they do not take appropriate measures to prevent the violation, do not investigate, or do not provide appropriate legal remedies.

The European Court of Human Rights (ECHR) recognizes state protection obligations, for example in the context of Art. 8 ECHR, the right to respect for private and family life (e.g. ECHR judgment Aksu v Turkey of March 15, 2012, § 59). Art. 8 ECHR also includes the integrity and confidentiality of personal correspondence, which means that, for example, the monitoring of digital communication constitutes an invasion of privacy and must accordingly be adequately justified. In the Copland v. UK case on April 3, 2007, the ECHR found a violation of Article 8 of the ECHR when a state educational institution had an employee's phone, email and internet usage monitored to see if they were working did too much private business. However, the ECHR has not yet had to judge a case in which it is criticized that the state has not fulfilled its obligation to take precautions against the illegal processing of digital personal data by private individuals. The two complaints currently pending before the ECHR regarding the NSA affair against the United Kingdom, in which, among other things, a violation of Art. 8 ECHR is alleged (No. 58170/13 Big Brother Watch and others v. United Kingdom and No. 62322 / 14 Bureau of Investigative Journalism and Alice Ross v. United Kingdom), concern attacks by the state, not by private individuals.

States have a duty to respect human rights and, in particular, data protection, but this duty can conflict with the state's interests in the processing of personal data. In the NSA affair between 2007 and 2013, around 200,000 people around the world were constantly monitored, and their privacy was thus significantly invaded. The United Kingdom and the United States justify the interventions by stating that they are indispensable for the fight against terrorism and for public safety in general and are therefore proportionate. It remains to be seen how the ECHR assesses this attempt at justification.

The CJEU is currently dealing with the state's duty to protect against violations of privacy by companies as part of a procedure initiated by an Austrian against the Irish data protection authority. The plaintiff accuses the Irish data protection officer of failing to prevent the transmission of mass data by Facebook to the American authorities, which means a violation of the privacy of those concerned and of EU data protection law. According to EU law, the transmission of data to foreign authorities is permitted if a data protection standard comparable to EU law exists. The European Commission had in 1999 to the so-called Safe Harbor Principles issued a decision on the USA (2000/520 / EC). Accordingly, a declaration by an organization or a company in the USA that the protection provisions applicable in the EU are accepted is sufficient to meet the requirement of the comparable level of protection. The Court of Justice must now decide in the course of a preliminary ruling whether this decision of the Commission is binding on the Irish court, which has to judge the action against the Irish data protection officer, or whether it may investigate itself (C-362/14 Schrems g.Data Protection Commissioner).

In connection with the state protection obligations, the question arises as to which effective control options states still have over private Internet companies: On the one hand, there is fundamental freedom of contract between private individuals; on the other hand, states must first be aware of possible violations of data protection regulations in order to be able to take action. Because of the constantly evolving technologies, this is increasingly difficult. In addition, the major Internet companies such as Facebook, Google, Twitter, Dropbox, etc. are mostly based in the USA. The data protection regulations there apply to them, which are rather weak compared to European countries. For example, there is no legal regulation on the time limit for data storage. There is also no right to correct incorrect data or to receive information about data that is stored about oneself.

Corporate responsibility

Private companies are bound by the national data protection regulations of the respective country in which they are based or in which they conduct their business. In a global context, however, it is often unclear which regulations should be applied. OHCHR devotes an entire chapter of its June 30, 2014 report on privacy in the digital age to the role of private companies. Addressed are companies that procure and process personal data or companies that provide the corresponding software, for example telecommunications companies, internet service providers or social media platforms.

The report emphasizes that the protection of privacy must also be guaranteed in the case of a delegation of state tasks, as has sometimes taken place in the area of ​​public security with the transfer of certain law enforcement competences to private companies (Section 42). Regardless of whether the state fulfills its own obligations, companies are responsible for respecting privacy (Section 43).

The OHCHR also refers to the UN Guiding Principles on Business and Human Rights (cf. SKMR newsletter articles from May 6, 2011 and October 31, 2012) According to this, companies are specifically required to respect human rights, not to contribute to human rights violations and to try to prevent them (Chapter II A, 11). Human rights due diligence is of particular importance in the digital space (due diligence) from companies to (Chapter II B, 17 ff. of the guidelines). Potential impairments of the right to privacy and other human rights through economic activities of a company in the digital space should be identified in advance and, whenever possible, prevented or at least mitigated.

The OHCHR also states that companies should try to protect privacy - and other human rights that may be affected - as far as possible when government requests for access to personal data are made (Section 45). The mandate of the state must be interpreted as narrowly as possible and the persons concerned must be informed so that sufficient transparency is guaranteed and they can, if necessary, defend themselves against the disclosure of information. The report recommends that companies set up mechanisms for those affected (Section 46), which could, for example, request the deletion of certain data.

These recommendations to private companies do not change the fact that the primary duty to protect privacy and other human rights particularly affected by digital developments rests with states.

Situation in Switzerland

Switzerland has drawn up various legal bases that serve as the basis for the processing of personal data and provide for appropriate measures in the event of privacy violations. The most important decree is the Data Protection Act. According to Art. 12 DSG, private data may also be processed, as long as the personality of the person concerned is not violated. If, however, a violation of personality does take place, civil action is available analogous to Art. 28 ZGB (protection of personality). Within the framework of applicable law, action can be taken against companies that unlawfully intervene in privacy (e.g. BGE 138 II 346 Google Street View, in which the Federal Supreme Court ruled that Google is obliged to subsequently anonymize people who are in Google Street free of charge View can be recognized). In the case of such violations of personality or general invasions of privacy by private companies that are based abroad, where different data protection regulations apply, various difficulties arise.

Due to the rapid technological and social developments taking place on a global level, the DSG is to be revised. On April 1, 2015, the Federal Council commissioned the FDJP to draw up a preliminary draft for the amendment of Swiss data protection law, taking into account the ongoing data protection reforms in the EU and the Council of Europe. The goals of the revision include earlier action or strengthening of data protection, increased awareness of the persons concerned, increasing transparency, improving data control and control, and protecting minors (see report by the DSG Revision Monitoring Group). The preliminary draft is expected to be available by the end of August 2016.

The Federal Data Protection and Information Commissioner (FDPIC) monitors compliance with the data protection act in Switzerland. In particular, he can clarify certain facts more precisely on his own initiative or upon notification of third parties and issue recommendations on the basis of these clarifications. In the private sector, the FDPIC acts primarily in an advisory capacity. In the event of conflicts between private individuals or between private individuals and the state, it has the role of mediator.

Monitoring of telecommunications traffic and intelligence

The Federal Act on the Surveillance of Post and Telecommunications Traffic (BÜPF) is currently being totally revised and will probably come into force in 2017 at the earliest. In connection with the BÜPF revision, the National Council approved the expansion and operation of the processing system for telecommunications surveillance and the federal police information systems on March 11, 2015 (Official Bulletin of the National Council, spring session, ninth session). This is intended to adapt telecommunications monitoring to technological innovations and to facilitate the work of the Post and Telecommunications Monitoring Service (ÜPF). In Switzerland, the ÜPF service is responsible for monitoring postal and telecommunications traffic, which also includes the Internet. As a matter of principle, the ÜPF only carries out telecommunication surveillance when instructed by the law enforcement authorities in the context of criminal proceedings. Outside of criminal proceedings, telecommunications may only be monitored to find a missing person. The ÜPF obtains the necessary data from the telecommunications service providers (FDA), and thus mainly from private companies. Anyone wishing to offer a telecommunications service in Switzerland must report this to the Federal Office of Communications (OFCOM). OFCOM's list comprises around 560 FDAs.

The total revision of the BÜPF is not aimed at a quantitative increase in telecommunications surveillance, but rather at a qualitative improvement. From the point of view of data protection, the Federal Council expects a high level of care and attention from the OAP, since personal data is processed (see Federal Council message). From the perspective of the Federal Council, the revised BÜPF offers a sufficient formal legal basis for interfering with personal data.

One point of criticism of the new BÜPF is the expansion of data retention. Telecommunications service providers are now obliged to keep the data necessary for subscriber identification as well as traffic and billing data for twelve (instead of the previous six) months. The Federal Council justifies this by stating that "the violation of fundamental rights caused by the storage of personal data without suspicion in Switzerland will be compensated for by a" strict regulation of access and use as well as legal remedies for the persons concerned ". The Federal Council does not consider the judgment of the ECJ of April 8, 2014 to be relevant for Switzerland.

Further legal bases for the processing of personal data are the Federal Act on Measures to Safeguard Internal Security (BWIS) and the Federal Act on Responsibilities in the Field of the Civil Intelligence Service (ZNDG). These authorize the Federal Intelligence Service (FIS) and other security organs to process personal data under certain conditions. However, this involves targeted data processing. Incorrect or unnecessary information must be destroyed.

In connection with the BÜPF revision and with organizational innovations in the intelligence and security services, a uniform intelligence service law (draft NDG) is to be passed, which replaces the BWIS and the ZNDG. The proposed NDG is highly controversial because it wants to give the FIS the new authority to intercept telephone calls, monitor chat rooms or break into computer systems, among other things. However, such measures may only be taken for the purposes defined by law, namely the defense against terrorism, trade in weapons of mass destruction and espionage. The measures must also be approved by the Federal Administrative Court, the Security Committee of the Federal Council and the Head of the Federal Department of Defense, Civil Protection and Sport, DDPS. The National Council passed the Intelligence Service Act on March 17 by 119 votes to 65 with 5 abstentions. Now the Council of States has to decide on the law. If he makes no further changes, a referendum is likely.

Conclusion for Switzerland

With technological developments, the risks to privacy and data protection have also increased in Switzerland. It is true that private Internet companies that process data must adhere to national data protection regulations; Swiss data protection law, however, like that of most European countries, is lagging behind the new developments; and faces increasing legal challenges.

In Switzerland's state reports to the UN treaty bodies and in the context of the Universal Periodic Review (UPR) to the UN Human Rights Council, data protection has not yet been an issue. This could change in the future. Efforts are underway to adapt Swiss law, in particular data protection and telecommunications surveillance legislation, to advanced digital technology, but the outcome is still open. The planned revisions of the NDG and BÜPF are both legally and politically highly controversial. It is feared that a "mini-NSA" will be created that can no longer be controlled, as it can invoke the interest in secrecy (cf., inter alia, Votum Glättli, Official Bulletin of the National Council, spring session 2015, twelfth session).

Ultimately, the question remains as to how Switzerland can protect its citizens against violations of their privacy caused by foreign internet companies, since different data protection rules apply to them. Only international standards will provide a solution here, which is why Switzerland's involvement in the relevant bodies of the UN and the Council of Europe is all the more important.

23.04.2015