I. Legal framework
Constitutional privacy and data protection framework
Article 36(4) of the 1874 Constitution guaranteed, "[t]he inviolability of the secrecy of letters and telegrams." This constitution was repealed and replaced by public referendum in April 1999. The new Constitution, which entered into force on 1 January 2000, greatly expanded the older privacy protection provision. Article 13 of the new Constitution states: "All persons have the right to the respect of their private and family life, home, mail and telecommunications. All persons have the right to be protected against abuse of their personal data."1
Privacy and data protection laws and regulations
The Federal Data Protection Act of 1992 (Loi fédérale sur la protection des données or LPD) regulates personal information held by federal government and private bodies.2 The Act requires that information be legally and fairly collected and places limits on its use and disclosure to third parties. Federal agencies must register their databases. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have adequate data protection laws. Individuals have a right of access to correct inaccurate information. There are criminal penalties for violations. In March 2006, the Federal Parliament adopted major revisions to the LPD;3 the revisions came in force on 1 January 2008.4
Revisions to the LPD included: elimination of the possibility of justifying a violation of the principles on the basis of an overriding private or public interest; requirement that processors of sensitive data actively notify data subjects; further requirements for controllers to ensure that third party processors have adequate security in place; and restriction on the methods of ensuring adequate data protection in transfers to third countries.5
Almost all of the 26 Swiss "cantons" (states) have a separate data protection law and their own data protection commissioner. However, as some cantons are small, some data protection commissioners are employed to allocate only 10 percent of their working time for this purpose. In order to exchange opinions and collaborate, the cantonal data protection officers founded the association "PRIVATIM" (formerly DSB+CPD.CH) in March 2000. PRIVATIM created a working group to address questions regarding health privacy, and in June 2007, published a brochure on the rights of individuals concerning their medical data privacy.6
In June 1999, the European Union Article 29 Data Protection Working Party determined that Swiss law was adequate under the EU Data Protection Directive.7 In July 2000, the European Commission formally adopted this position, thereby approving all future personal data transfers to Switzerland. On 20 October 2004, the Commission confirmed this approval.8
In 2008, amendments to the Federal Data Protection Act came into force on 1 January. The new law incorporates the obligation to inform data subjects about the collection and purpose of the information, as well as information about data transfers to third parties.9 The new statute also makes a provision for a certification procedure to obtain a data protection quality label, once applicable legal and technical requirements have been met.10 The new Act modifies the rules applicable to the transfer of personal data abroad and makes it an obligation for data controller transferring personal data to inform the Data Protection Commissioner about contracts and internal data protection regulations in place. The new rules are very similar to the rules of the EU Data Protection Directive and their adoption allowed Switzerland to ratify, on 20 December 2007, the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding Supervisory Authorities and Transborder Data Flows of 8 November 2001.11
Besides the Data Protection Act,12 there are also legal protections for privacy in the Civil Code13 and the Penal Code.14 There are also special rules relating to workers' privacy from surveillance,15 telecommunications information,16 health care statistics,17 professional confidentiality, including medical, and legal data,18 medical research,19 and identity cards.20
Data protection authority
The LPD created the office of a Federal Data Protection and Information Commissioner (the Commissioner, or FDPIC).21 The Commissioner maintains and publishes the Register for Data Files, supervises federal government and private bodies, provides advice, issues recommendations and reports, and conducts investigations. The Commissioner has assumed a new role as mediator relating to transparency and public information.22 The Commissioner also consults with the private sector. The office publishes a detailed annual report, as well as leaflets, summaries of press articles and critical statements, and advice to government agencies on issues of data protection.23 However, the Commissioner has only limited possibilities for interventions: he can only submit "suggestions" (Empfehlungen) or ask the Data Protection Commission to review a case. Decisions of this commission can then be submitted to the Federal Court (Bundesgericht). In the FDPIC's 14th Annual Report (2006/2007), the Commissioner addresses issues that range "from military information systems, such as reconnaissance drones, to the planned introduction of the health insurance card, to video surveillance in stores, and to biometric access control in sports stadiums and leisure facilities."24 In the FDPIC's 17th report main topics are "Privacy on Internet" (Goldgräberstimmung im Internet - das Ende der Privatsphäre?) dealing with Google, Facebook, Twitter and other online services providers; "Certification of Data Management Systems: Accreditations" (Zertifizierung von Datenschutzmanagementsystemen: Akkreditierungen) dealing with the first accreditations of private companies with the Swiss Accreditation Agency (SAS); and "2010 Swiss population Census" (Volkszählung 2010).
Annually, the FDPIC deals with 1,500 to 2,000 complaints, investigations, and requests. Among these, there are questions of individuals, media inquiries, long-term supervision of operational proceedings in private enterprises, as much as, in the federal administration, and comments on legislation at the hearing stage. According to the FDPIC, between 1 April 2005 and 31 March 2006 it conducted 63 official investigations, 50 of which concerned access to homeland security files. From 2006 to date there has been any significant change in the number of complaints (page 110 of report). However, the staff of 25 employees seems not to be sufficient to deal with all complaints in a reasonable time.25
In September 2005, the FDPIC hosted the 27th International Conference of Data Protection and Privacy Commissioners in Montreux. More than 350 participants from all over the world took part, and the Conference adopted two important resolutions: one on the use of biometric data in passports, ID cards, and travel documents, and a second on the use of personal data for political communication.26
The Federal Data Protection and Information Commissioner has been appointed by the Bundesrat (the Government), as well as cantonal commissioners have been appointed by their cantonal governments. In order to implement Article 25 of the EU Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters -- that states "These authorities [data protection authorities] shall act with complete independence in exercising the functions entrusted to them"27 -- adaptations in the concerning Swiss regulations are currently under way. All commissioners must be elected by the Parliament, or at least approved by this institution.
Major privacy and data protection case law
The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.28
- 1. Constitution of Switzerland, 1999, "Bundesverfassung der Schweizerischen Eidgenossenschaft vom 18. April 1999" (BV, SR 101), http://www.admin.ch/ch/d/sr/c101.html. In addition to the Constitution, every federal law and regulation is available in an online directory. In this report, we generally link to the German versions ("Systematische Rechtssammlung" SR: http://www.admin.ch/ch/d/sr/sr.html). However, there are versions available in French ("Recueil systématique du droit fédéral" (RS), at http://www.admin.ch/ch/f/rs/rs.html) and in Italian ("Raccolta sistematica del diritto federale,"at http://www.admin.ch/ch/i/rs/rs.html).
- 2. Bundesgesetz über den Datenschutz, DSG vom 19 Juni 1992 (Stand 2006) (Swiss Data Protection Statute from 19 June 1992 (in the updated version of 2006) DSG, SR 235,1), available at http://www.edoeb.admin.ch/org/00828/index.html?lang=enFDPIC.
- 3. David Rosenthal, "Country Q & A -- Switzerland," Information Technology 2007-2008, available at http://www.homburger.ch/fileadmin/publications/DAPSWQAC_01.pdf.
- 4. See http://www.admin.ch/ch/d/sr/2/235,1.de.pdf.
- 5. Id.
- 6. Association of Data Protection Commissioners "PRIVATIM," at http://www.privatim.ch/. See "Votre dossier médicale, vos droits", 28 June 2007, available at http://www.privatim.ch/content/pdf/PRIVATIM_Dossier-medical_F.pdf.
- 7. Article 29 Data Protection Working Party, Opinion No. 5/99 on the Level of Protection of Personal Data in Switzerland, 7 June 1999, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp22en.pdf.
- 8. Commission of the European Communities, The application of Commission Decision 2000/518/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland, SEC (2004) 1322, Brussels, 20 October 2004, http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/sec-2004-1322.... The decision is based on the Commission Decision of 26 July 2000 pursuant to Directive 1995/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (notified under document number C(2000) 2304), 2000/518/EC, Official Journal L 215, 25 August 2000, at 1-3. See also European Union Press Release, "Commission Adopts Decisions Recognising Adequacy of Regimes in United States, Switzerland and Hungary," 27 July 2000.
- 9. IWG Country Report -- Switzerland, 43rd Meeting of the Working Group, March 2008.
- 10. Verordnung über die Datenschutzzertifizierungen, available at http://www.admin.ch/ch/d/as/2007/5003.pdf. For more information about the certification procedure mentioned in the text, see http://www.seco.admin.ch/sas/00026/00059/index.html?lang=en.
- 11. Id. See also Zusatzprotokoll zum Ãœbereinkommen zum Schutz des Menschen bei der automatischen Verarbeitung personenbezogener Daten bezüglich Kontrollstellen und grenzüberschreitendem Datenverkehr (Sammlung der Europaratsverträge SEV-Nr. 181), available at http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=181&CM=8&D....
- 12. For an overview of legal regulations concerning data protection, see http://www.admin.ch/ch/d/sr/23.html#235.
- 13. Section 28 of the Zivilgesetzbuch (ZGB, SR 210), Civil Code, 10 December 1907, available at http://www.admin.ch/ch/d/sr/c210.html.
- 14. Code pénal, Titre troisiÃ¨me: Infractions contre l'honneur et contre le domaine secret ou le domaine privé, Art. 173-179. Schweizerisches Strafgesetzbuch (StGB) vom 21. Dezember 1937 (SR 311,0), available at http://www.admin.ch/ch/d/sr/c311_0.html.
- 15. Section 328 of the Obligationenrecht (Code of Obligations), 1 July 1996,, available at http://www.admin.ch/ch/d/sr/2/220.de.pdf,. See International Labour Organisation, Conditions of Work Digest, Volume 12, 1/1993.
- 16. Fernmeldegesetz (Telecommunications Law, LTC) (FMG, SR 784,10), 30 April 1997, available at http://www.admin.ch/ch/d/sr/c784_10.html.
- 17. Office fédéral de la statistique, La protection des données dans la statistique médicale, 1997, at http://www.bfs.admin.ch/bfs/portal/fr/index/infothek/erhebungen__quellen....
- 18. Code pénal, Art. 320-322, Schweizerisches Strafgesetzbuch vom 21. Dezember 1937 (StGB, SR 311,0), available at http://www.admin.ch/ch/d/sr/c311_0.html.
- 19. Verordnung vom 14. Juni 1993 über die Offenbarung des Berufsgeheimnisses im Bereich der medizinischen Forschung (VOBG, SR 235,154), available at http://www.admin.ch/ch/d/sr/c235_154.html, Ordonnance du 14 juin 1993 concernant les autorisations de lever le secret professionnel en matiÃ¨re de recherche médicale (OALSP).
- 20. Bundesgesetz vom 22. Juni 2001 über die Ausweise für Schweizer StaatsangehÃ¶rige (Ausweisgesetz, AwG, SR 143,1), available at http://www.admin.ch/ch/d/sr/c143_1.html, and the corresponding regulation Verordnung vom 20. September 2002 über die Ausweise für Schweizer StaatsangehÃ¶rige (Ausweisverordnung, VAwG, SR 143,11), available at http://www.admin.ch/ch/d/sr/c143_11.html, replacing the older Ordonnance du 18 mai 1994 relative Ã la carte d'identité suisse.
- 21. Official website, at http://www.edoeb.admin.ch/index.html?lang=en.
- 22. 14th Annual Report on Activities, Federal Data Protection and Information Commissioner, 2006-2007, available at http://www.news-service.admin.ch/NSBSubscriber/message/en/13377#. A summary of the FDPIC's annual reports is provided in English at http://www.edoeb.admin.ch/dokumentation/00445/00509/01615/index.html?lan....
- 23. 13th Annual Report,, Federal Data Protection and Information Commissioner,2005-2006, available at http://www.edoeb.admin.ch/dokumentation/00445/00509/00965/index.html?lan....
- 24. 14th Annual Report 2006-2007, supra.
- 25. See 17th Annual Report 2009-2010, Federal Data Protection and Information Commissioner, available at http://www.edoeb.admin.ch/dokumentation/00445/00509/01615/index.html?lan.... See the German full text version at http://www.edoeb.admin.ch/dokumentation/00445/00509/01615/index.html?lan....
- 26. 13th Annual Report 2005-2006, supra.
- 27. See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060....
- 28. Cfr. Section "Wiretapping, access to, and interception of communications," infra.