Swiss Courts Raise the Bar for Data Processing Justification

A series of recent rulings by the Swiss Courts have raised the bar for data processing justification under Swiss law.  Whilst Switzerland is not part of the European Economic Area, and is therefore not subject to the European Data Protection Directive, its data privacy rules contain a number of similar, or at least recognisable, principles.  The broad data processing principles are set forth in Article 4 of the Swiss Federal Data Protection Act (the DPA) which states that personal data must be processed:

(a)   in compliance with all Swiss legal requirements outside the DPA (i.e. confidentiality rules, rights to personality (an individual’s or entity’s right to control the use and exploitation of  its name, image, identity or reputation) etc.);

(b)   in good faith and proportionately;

(c)   only for the purpose which (i) was indicated at the time the data were collected; (ii) was evident from the circumstances; or (iii) was legally required; and

(d)   only if the collection of personal data as such and the purpose of the collection were already evident to the data subject at the time of collection.

Data may, however, be processed in violation of Article 4, if the processing can be justified on one of the following grounds as listed in Article 13 of the DPA:

(a)   the processing is justified by law;

(b)   the processing is justified by a prevailing public or private interest (such as the commercial impossibility / inefficiency of obtaining prior consent to data processing where this is required); or

(c)   the data subject consented to the processing.

The Court’s first step towards restricting the processing which may be justified under Articles 4 and 13 of the DPA came in the form of the 2010 Logistep ruling (German language only).  In this case, the Swiss Federal Supreme Court ruled that Logistep had breached the processing principles of the DPA by identifying the internet protocol (IP) addresses of individuals uploading and sharing copyrighted material without authorization through peer-to-peer networks, then selling these IP details on to the copyright holders who were consequently able to identify the individuals and initiate proceedings against them.

The DPA breaches identified in the Logistep ruling focused on the fact that data processing for the purposes of identifying potential copyright infringers was not indicated or evident to the users at the time their IP address data was collected.  The restrictive nature of this ruling can be seen, however, in the Court’s narrow interpretation of Article 13(b) DPA: the Court held that neither Logistep’s commercial activity interest nor the copyright owner's interest in defending its copyright was sufficient to justify Logistep’s processing in breach of Article 4 DPA.  The failure before the Courts of Logistep’s argument that an interest in defending legal rights, such as copyright, may prevail over the data processing principles of Article 4 DPA, makes it difficult to imagine in what circumstances a public or private interest could every be safely relied upon to justify data processing under Swiss law.  

The practical implications of this particular decision go beyond a narrowing of legitimate data processing grounds, and in effect protect potential copyright infringers from criminal penalties and damages claims, on the basis of the Swiss data protection rules.  That this protection remains available to potential infringers, even in the face of evidence that processing the data in violation of Swiss data processing principles is necessary for the purpose of defending legal rights, makes it increasingly difficult to pursue online rights infringers, particularly when IP addresses are frequently required to aid that pursuit.    

Outside the online sphere, the Logistep ruling has been subsequently applied by the Swiss Administrative Courts in the Google Street View case, in its judgement of 30 March 2011 (German language only).  The Google Street View case found itself in the Administrative Courts following over a year of negotiations between the Swiss privacy Commissioner and Google, during which Google resisted implementing the majority of the remedial measures recommended by the Commissioner, following the well documented data security breaches of the Street View service.  The Administrative Court ruled that the data processing principles of Article 4 DPA had not be complied with, primarily on the basis that:

(a)   Google had not obtained the individual’s consent to publish their insufficiently anonymised photographs on the Street View site;

(b)   this processing was not proportionate (in light of the risks to the individual’s privacy and personality rights); and

(c)   this processing and its purposes where not evident to the individuals when their data was collected. 

The Administrative Court was not persuaded by Google’s defence arguments that it had blurred and anonymised all faces and vehicle licence plates, that it had offered to carry out further manual blurring of any images on request, and that it had announced that Street View imaging would be carried out on its site at least a week prior to each imaging session.  Google then sought to rely on Article 13 DPA in order to justify its processing, on the basis of its private commercial interest in the Street View service, and the public interest in the free to use, global Street View application.  These arguments also failed to persuade the Administrative Court, which ruled that Google could not justify its processing in breach of the Article 4 processing principles, and therefore that its processing violated the DPA.  Google was subsequently ordered to, amongst other undertakings, manually blur all images of individuals on the Swiss areas of Street View.  In making this ruling, the Administrative Court referred specifically to the Supreme Court’s Logistep ruling, and in doing so, has confirmed and entrenched this case law as the guiding principle for interpretation of the Swiss DPA.

In practical terms, organisations handling data in Switzerland, or using processors or service providers to handle data in Switzerland, should consider again the basis on which they are processing data.  Accurate and considered compliance with the Article 4 data processing principles is now the easier route to general DPA compliance, as the alternative Article 13 DPA route to processing justification becomes more and more demanding.  In particular, any private interests relied upon under Article 13 DPA (such as commercial costs and efficiency interests) will now need to be very clearly made out and evidenced, and are less likely to be successful where the individual could be considered prejudiced in any way by the processing.

ICO Issues Further Guidance on its Monetary Penalties Powers

Thumbnail image for Thumbnail image for iStock_Lock.jpgThe UK’s data privacy regulator, the Information Commissioner’s Office (ICO) has recently issued further statutory guidance on its powers to impose monetary penalties.  This guidance builds on an earlier statutory guidance note issued by the ICO back in January 2010, by providing greater clarification on the key factors in the ICO decision process when imposing monetary penalties.  Broadly, the guidance emphasises that monetary penalty notices are intended for the most serious breaches only, with the objective of encouraging compliance, rather than punishing infringers for minor or technical breaches.  An important take-away from the guidance is the weight the ICO gives to conscientious efforts to avoid breaches when they occur, those efforts notwithstanding.  Thus, monetary penalties may be imposed or not for the same offense (or the amount of the penalty varied) depending on an organization’s compliance efforts.  Putting in place a comprehensive compliance program, and actively taking steps to ensure the program is followed through, is therefore a helpful defence against the risks of monetary penalties. 

The ICO has powers to impose monetary penalties for breaches of both the Data Protection Act 1998 (the DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “E-Privacy Regulations”).  These rules empower the ICO to issue monetary penalty notices, of up to £500,000, for breaches of the DPA or E-Privacy regulations, as relevant, which meet the following conditions:

1. the breach is a ‘serious’ breach – The guidance states that the ICO will judge this objectively, taking into account the expectations of the data subject and society as a whole:

  • Practical examples (DPA breach): failure to take adequate security measures leading to loss of personal data;
  • Practical examples (E-Privacy Regulations breach): making a significant volume of automated marketing calls without consent, leading to distress, or covertly using mobile location data; and

2. the breach is of a kind likely to cause substantial damage (financially quantifiable loss) or substantial distress (injury to feelings, harm or anxiety) – ‘Substantial’ is taken by the ICO to mean “considerable in importance, value, degree, amount or extent”, therefore damage which, when suffered on an individual level, is not substantial, may be considered substantial if suffered by large numbers of individuals.  On the other hand, a single breach may be sufficiently substantial to warrant a monetary penalty:

  • Practical examples (DPA breach): disclosure of inaccurate personal data in an employment reference, causing that job opportunity to be lost;
  • Practical examples (E-Privacy Regulations breach): distress caused to large numbers of individuals by repeated automated marketing calls which are difficult to opt out of; and either

3. the breach was caused deliberately:

  • Practical examples (DPA breach): personal data collected strictly for the purposes of a competition is knowingly used for other commercial purposes, such as tracing databases or selling to third parties;
  • Practical examples (E-Privacy Regulations breach): repeatedly sending marketing faxes or calling phone numbers listed on the fax preference service and telephone preference service, respectively, or repeatedly sending marketing SMS without consent and charging a premium rate for opt-out messages; or

4. the infringing person / entity must have known or ought to have known that there was a risk that a contravention would occur (and that such a contravention would be of a kind likely to cause substantial damage or substantial distress) but failed to take reasonable steps to prevent it – This is an objective test, judged against the standard of the reasonably prudent person:

  • Practical examples (DPA breach): a data controller is warned by members of its internal team that employees are using sensitive personal data, but does not carry out a risk assessment or put in place any compliance processes;
  • Practical examples (E-Privacy Regulations breach): an entity is aware that its number blocking system for preventing calls being made to opted out numbers may be faulty, but does not investigate the likelihood of a fault or carry out any testing or preventative action;
  • Practical examples (‘reasonable steps’): carrying out a risk assessment, taking steps to address the risks of handling personal data, the establishment of good governance and personal data specific policies and practices, and rectifying issues and potential breaches as soon as practicably possible. 

The amount of the monetary penalty will be determined by the ICO after consideration of the key factors discussed above, paying particular attention to the following:

(a)    the nature of the data;

(b)   the number of individuals involved;

(c)    the number of similar or previous breaches caused by the infringing entity;

(d)   the nature and scale of the damage or distress caused to individuals;

(e)   the overall governance and compliance attitude of the infringing entity and responsiveness to ICO queries and recommendations; and

(f)     the size and financial resources of the infringing entity.

As discussed above, the recent guidance confirms that ICO’s approach in practice of giving considerable weight to an organization’s compliance efforts.  In relation to both the decision to impose a monetary penalty in the first place, and subsequently the level of that penalty, the ICO will consider whether reasonable compliance steps have been taken to prevent the breach (and if so, a monetary penalty is unlikely to be imposed, unless the infringing act was deliberate), and the compliance attitude of the organisation.  This emphasis highlights the importance of taking active and visible steps to achieve compliance as far as possible.  

The monetary penalty notice is one of a range of sanction options available to the ICO.  The ICO may also:

(a)    issue an enforcement notice, requiring the data controller to remedy the infringing data processing;

(b)   issue information or special information notices, requiring the data controller to provide information to assist the ICO in determining whether the data controller has complied with the DPA;

(c)    carry out a voluntary assessment of  the data controller’s compliance with the DPA, with the  data controller’s consent;

(d)   serve an assessment notice to carry out a mandatory assessment of compliance with the DPA; or

(e)   carry out an audit for compliance with the E-Privacy Regulations.

A failure to comply with any one of these notices is an offence, as are a number of other breaches of the DPA (such as failing to notify with the ICO as a data controller, or unlawfully obtaining personal data).   All offences are punishable by a fine on conviction (and officers of a breaching organisation may be individually liable if they consented to the offence or were neglectful in their duties). 

Monetary penalties therefore play a relatively minor role in the ICO’s enforcement practices, and are generally only to be imposed for the most serious of breaches where previous, more informal, enforcement steps by the ICO have failed to rectify any potential breach.  As the ICO gains more experience however in imposing such monetary penalties, and now the maximum level has been increased to £500,000, we may start to see such penalties imposed with greater frequency and at higher levels.  However, the ICO’s monetary penalty powers for data privacy enforcement are put into stark perspective by the fining powers of other industry regulators such as the Financial Services Authority (FSA), who have far greater fining powers for data security breaches which fall within their remit.  The largest fine imposed by the ICO to date is a monetary penalty of £120,000 against Surrey County Council (as set out in our post on this blog of 14 June 2011), whereas the FSA’s data security fining record currently stands at £2.27 million against the UK business of Zurich Insurance.  The reputational damage following the imposition of a monetary penalty from the ICO should not be underestimated however, and businesses operating in the UK should take advantage of the ICO’s generally pragmatic approach by working with the ICO and following its guidance and recommendations to ensure that the issue of formal enforcement action and monetary penalties does not arise in practice.