A series of recent rulings by the Swiss Courts have raised the bar for data processing justification under Swiss law. Whilst Switzerland is not part of the European Economic Area, and is therefore not subject to the European Data Protection Directive, its data privacy rules contain a number of similar, or at least recognisable, principles. The broad data processing principles are set forth in Article 4 of the Swiss Federal Data Protection Act (the DPA) which states that personal data must be processed:
(a) in compliance with all Swiss legal requirements outside the DPA (i.e. confidentiality rules, rights to personality (an individual’s or entity’s right to control the use and exploitation of its name, image, identity or reputation) etc.);
(b) in good faith and proportionately;
(c) only for the purpose which (i) was indicated at the time the data were collected; (ii) was evident from the circumstances; or (iii) was legally required; and
(d) only if the collection of personal data as such and the purpose of the collection were already evident to the data subject at the time of collection.
Data may, however, be processed in violation of Article 4, if the processing can be justified on one of the following grounds as listed in Article 13 of the DPA:
(a) the processing is justified by law;
(b) the processing is justified by a prevailing public or private interest (such as the commercial impossibility / inefficiency of obtaining prior consent to data processing where this is required); or
(c) the data subject consented to the processing.
The Court’s first step towards restricting the processing which may be justified under Articles 4 and 13 of the DPA came in the form of the 2010 Logistep ruling (German language only). In this case, the Swiss Federal Supreme Court ruled that Logistep had breached the processing principles of the DPA by identifying the internet protocol (IP) addresses of individuals uploading and sharing copyrighted material without authorization through peer-to-peer networks, then selling these IP details on to the copyright holders who were consequently able to identify the individuals and initiate proceedings against them.
The DPA breaches identified in the Logistep ruling focused on the fact that data processing for the purposes of identifying potential copyright infringers was not indicated or evident to the users at the time their IP address data was collected. The restrictive nature of this ruling can be seen, however, in the Court’s narrow interpretation of Article 13(b) DPA: the Court held that neither Logistep’s commercial activity interest nor the copyright owner’s interest in defending its copyright was sufficient to justify Logistep’s processing in breach of Article 4 DPA. The failure before the Courts of Logistep’s argument that an interest in defending legal rights, such as copyright, may prevail over the data processing principles of Article 4 DPA, makes it difficult to imagine in what circumstances a public or private interest could every be safely relied upon to justify data processing under Swiss law.
The practical implications of this particular decision go beyond a narrowing of legitimate data processing grounds, and in effect protect potential copyright infringers from criminal penalties and damages claims, on the basis of the Swiss data protection rules. That this protection remains available to potential infringers, even in the face of evidence that processing the data in violation of Swiss data processing principles is necessary for the purpose of defending legal rights, makes it increasingly difficult to pursue online rights infringers, particularly when IP addresses are frequently required to aid that pursuit.
Outside the online sphere, the Logistep ruling has been subsequently applied by the Swiss Administrative Courts in the Google Street View case, in its judgement of 30 March 2011 (German language only). The Google Street View case found itself in the Administrative Courts following over a year of negotiations between the Swiss privacy Commissioner and Google, during which Google resisted implementing the majority of the remedial measures recommended by the Commissioner, following the well documented data security breaches of the Street View service. The Administrative Court ruled that the data processing principles of Article 4 DPA had not be complied with, primarily on the basis that:
(a) Google had not obtained the individual’s consent to publish their insufficiently anonymised photographs on the Street View site;
(b) this processing was not proportionate (in light of the risks to the individual’s privacy and personality rights); and
(c) this processing and its purposes where not evident to the individuals when their data was collected.
The Administrative Court was not persuaded by Google’s defence arguments that it had blurred and anonymised all faces and vehicle licence plates, that it had offered to carry out further manual blurring of any images on request, and that it had announced that Street View imaging would be carried out on its site at least a week prior to each imaging session. Google then sought to rely on Article 13 DPA in order to justify its processing, on the basis of its private commercial interest in the Street View service, and the public interest in the free to use, global Street View application. These arguments also failed to persuade the Administrative Court, which ruled that Google could not justify its processing in breach of the Article 4 processing principles, and therefore that its processing violated the DPA. Google was subsequently ordered to, amongst other undertakings, manually blur all images of individuals on the Swiss areas of Street View. In making this ruling, the Administrative Court referred specifically to the Supreme Court’s Logistep ruling, and in doing so, has confirmed and entrenched this case law as the guiding principle for interpretation of the Swiss DPA.
In practical terms, organisations handling data in Switzerland, or using processors or service providers to handle data in Switzerland, should consider again the basis on which they are processing data. Accurate and considered compliance with the Article 4 data processing principles is now the easier route to general DPA compliance, as the alternative Article 13 DPA route to processing justification becomes more and more demanding. In particular, any private interests relied upon under Article 13 DPA (such as commercial costs and efficiency interests) will now need to be very clearly made out and evidenced, and are less likely to be successful where the individual could be considered prejudiced in any way by the processing.