The data protection of the future

Data protection is ultimately about protecting privacy, particularly in the digitalized world of the future. According to Article 13 of the Federal Constitution, everyone has a claim to this fundamental right, which is also rooted in Article 8 of the European Convention on Human Rights (ECHR).

On September 15, 2017, the Federal Council released a dispatch aiming to adapt data pro-tection to the internet era and strengthen the position of citizens. In Article 4 Letter f, the draft mentions profiling. The definition of this term largely corresponds to that of the EU General Data Protection Regulation (Art. 4 Para. 4 EU GDPR). Profiling of individuals re-quires individuation; for example, to distinguish between people with the same name. The easier this individuation is, the greater the threat to privacy.

The simplest means of distinguishing between individuals is their date of birth. We consider the current handling of dates of birth to be a matter of serious concern. For example, in ref-erence to the theft of data in fall 2017, the Head of Communications at Swisscom said that: “An unknown party [...] gain[ed] unlawful access to [...] the names [...] and dates of birth of customers. This information is classed as ‘non-sensitive personal data’ under data privacy laws.” The February 7, 2018 press release also mentioned that sensitive data such as pass-words was not affected.

Dates of birth should be considered sensitive, as they simplify profiling over the long term. In general, we recommend distinguishing between personal data that is of a permanent na-ture, and that which is easy to change. Permanent data is sensitive in the long term, as its accumulation can affect privacy. If a large number of parties make what is, subjectively speaking, relatively impersonal data available, the sum total of the data may nonetheless have grave consequences for the individual in question.

Permanent personal data includes names, dates and places of birth and biometric character-istics. This data cannot be changed, or is very difficult to change, and significant importance should be attached to its protection and recoverability in data privacy laws. Passwords do not represent a long-term issue, as these can be changed at any time, unlike one’s date of birth.

In order to prevent misuse of permanent personal data, it could be stipulated that this data may only be processed if relevant information regarding its origins is available. Similar compulsory declarations are already in place for food. In addition, rights to information should come with the obligation not only to inform affected individuals about the data avail-able, but also to disclose with whom it will be shared. As with open-source software licenses, these origin/destination obligations should also be passed on to the recipients of the data. This would reduce the flows of information most susceptible to misuse and reinforce privacy.

• On September 15, 2017, the Federal Council released a dispatch calling for the com-plete revision of the data protection law https://www.admin.ch/opc/de/federal-gazette/2017/6941.pdf
• Draft ‘Federal act on the complete revision of the federal act on data protection and changes to other legislation regarding data protection’ https://www.admin.ch/opc/de/federal-gazette/2017/7193.pdf
• Legislative project ‘Strengthening data protection’ https://www.bj.admin.ch/bj/de/home/staat/gesetzgebung/datenschutzstaerkung.html
• Swisscom press release, February 7, 2018 https://www.swisscom.ch/de/about/medien/press-releases/2018/02/20180207-mm-swisscom-verschaerft-sicherheitsmassnahmen-fuer-kundenangaben.html
• EU General Data Protection Regulation (EU GDPR), valid from May 2018 https://www.eurospider.com/images/pddfs-ect/CELEX_32016R0679_DE_TXT.pdf
• Right to privacy (FC 13) https://www.admin.ch/opc/de/classified-compilation/19995395/index.html#a13 
• Right to respect for private and family life (ECHR 8) https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680063764