View the publication here.

Introduction

On 15 September 2017, the Federal Council adopted a Message related to the global revision of the Federal Act on Data Protections of 19 June 1992 («FADP») (FF 2017 6565 ff). According to this Message, the current FADP has been overtaken by technological and societal developments. It therefore intends to adapt it to the latest developments, while making data processing more transparent. It also aims to strengthen the right of everyone to have access and to control their own data. The draft also aims to make the controller in charge of data processing more responsible, by encouraging them to be aware of data protection issues […] and by making them apply by default the settings that guarantee the highest level of protection («privacy by default») [1].

This current modernisation of the FADP in Switzerland gives us the perfect opportunity to give a brief reminder on the information that a FADP request is likely to provide us with, from those, which are not covered by its scope.

Historical background

The right to information according to FADP seemed to belittle used in the past decades, especially in the private sector.

In practice, the debtor of the right to information was often tempted to refuse a request for access because of the low penalties he risked. Such a comportment tended to dissuade the applicant from persevering with his request, since he was finally obliged to submit a legal proceedings, with the costs involved. More recently, however, there has been an increase in litigation concerning the right of access to the FADP, at least in terms of the number of decisions handed down by the Federal Court and the cantonal courts, in this area[2].

This is due to the increasing amount of personal data being collected, particularly as a result of the massive digitalisation of services and communication networks.

According to art. 3 let. a FADP, personal data («Data») the information relating to an identified or identifiable person.

Available information

Information is accessible within two logical and successive steps. Firstly, it is necessary to find out whether or not Data concerning the applicant exists (right to know), and then, if so, what kind of Data it is (right to be informed).

In its current form, Article 8 par. 1 FADP provides that «any person may request information from the controller of a data file as to whether data concerning them is being processed». Thus, the right of access relates firstly to get whether or not «data are actually being processed» about the applicant.

This legal provision therefore ensure the right to each individual, whether or not they have a legal report with the controller, to ask the latter if any «Data» concerning them are being «processed». In its negative dimension, this right allows to obtain confirmation that no personal Data are being processed and, in its positive dimension, the certainty that a Data exists[3].

By requesting such an access, any applicant may verify—in addition to the content of the Data they receive—the following information:

·       The aim of the Data processing: the purpose of the process should be explained. This information is important insofar, as it will allow the applicant to verify whether the purpose principle is respected or not. It is the right way to ensure that the Data processing is proportional to the purpose. As a reminder, it is not allowed to collect personal Data that are not necessary to achieve the stated purpose[4] ;

·       The legal provision on which the Data processing is based ;

·       The location of Data processing, especially the Data storage ;

·       How long the Data will be stored. However, this information is far from simple to establish since Data storage’s duration may vary from one country to another […] and may vary from one category of Data to another or from one purpose to another. For example, an organisation will not keep its employee’s Data according to the same rules as its customer or prospect one[5].

Legal limits to the right to information in Switzerland

Increasing use of the right to information necessarily leads that limits must be set, particularly for the applicant, in order to prevent undue or excessive access. These limits would therefore be deployed as safeguards for access to information and to avoid any abuse of the right. Such limits are firstly provided by legal provision.

The Article 9 of the FADP provides that «the controller of a data file may refuse, restrict or defer the provision of information where a formal enactment so provides or this is required to protect the overriding interests of third parties».

Thus, the wording «may refuse, restrict or defer the provision of information» suggests that the controller of the file is free to decide whether or not to grant access within the meaning of Article 8 DPA. The grounds for restriction are in no way to be examined or considered at will, but are to be considered in a general context[6].

Indeed, the right to information and access are guaranteed by Article 13 of the Federal Constitution and Article 8 of the ECHR and that those are indispensable for the protection of the private sphere[7].

Finally, the proof of the existence of an overriding interest in restricting the right of access lies with the controller[8].

Structural limits to the right to information

In addition to the restrictions of Article 9 of the FADP, access to the Data may also be limited to the mere existence of the information or at least to the fact that this Data is well and truly stored.

Indeed, sometimes it is an information which is ancillary to the processing of the Data itself that interests the applicant, for example, the question of knowing the origin (the source) of the Data processed.

In practice, Data can be entered, by the controller of the Data file, into a system (“Structured data”) without consideration to its origin, which is not necessarily archived. When the controller of the data file knows the origin of the Data —stored in the human memory—, without entering it into the system, it could be a Data nonetheless (“Unstructured data”).

This raises the question of whether the right to know the origin of a Data (Article 8 par. 2 letter a FADP) includes both Structured and Unstructured Data.

The Arrest 147III 139 of the Federal Court has decided the issue: «the right of access (Article 8 FADP) does not relate to all personal data, but only to data that are effectively stored in a file, as well as to effectively "available information on the origin of the data"»[9].

Then, if the origin of the Data is not recorded in the file itself—but known in the memory of the controller of the Data file— it is not via an FADP request that such an information can be granted, as long as this « non-stored information» is therefore beyond the scope of the Act.

Consequently, the Swiss Federal Court ruled that information in the human memory does not fall under the right of access according to Article 8 FADP.

In conclusion, the other major limitation of the FADP is simply its scope.

The right of access to Data is thus limited to the fact that they are indeed stored on external devices (handwritten notes or entries in a computer document)[10].

So the mere «perception» of an external information and its «storage» in the human memory, without recording it on an external support, do not fall within the notion of «processing» in the sense of the FADP. Such «perception» are not «operations» (manual or automated) within the meaning of the Federal Act on Data Protection[11].

Conclusion

Some might say that Data storage is very regulated. But this would be forgetting that Data about us are valuable and sometimes very sensitive. Their disclosure must therefore be limited by a rigorous legal framework, and their storage, by equally rigorous provisions.

Although we may not be aware of it, our Data can inform anyone, including the Authorities, about activities and matters that seem perfectly innocent to us, but which may contain valuable information.

Your Data can come from anywhere. From your smartphone, to your supermarket loyalty card, to your fitness card, to your search engine, to the CCTV (security camera) at the local grocery shop, to even your car. It is therefore necessary that the revision of the FADP provides for increased transparency of any Data processing.

According to the revision of the FADP, the obligation to provide Data will no longer be restricted to processing operations involving sensitive Data or personality profiles, but will be extended to all processing operations (Art. 17 pLPD). Moreover, the scope of the information to will need to be provided to the applicant will be increased and will includes, in particular, the length of time during which the Data will be kept (Article 23pLPD)[12].

Learn more about our Data Protection practices here or contact our associate Pierre-Antoine Keiser at info@lecocqassociate.com if you have any queries.

 

Sources:

[1] Montavon Pascal/Ballenegger Cédric/Reichlin Jeremy/Dapples Astrid/Maillard Mathilde/Montavon Michael, Abrégéde droit civil, Art. 1er à 640 CC / LPart / LPD / LN, 4e éd., Genève - Zurich -Bâle 2020, p. 108.

[2] Benhamou Yaniv, Mise en œuvre judiciaire du droit d’accès LPD – aspectsprocéduraux choisis, dans: MétilleSylvain (éd.), Le droit d'accès, Berne 2021 (CL 74), p. 77 et ss.

[3]Di Tria Livio/LubishtaniKastriot, Étude empirique du droit d’accès à ses données personnelles / I. -II., dans: Métille Sylvain (éd.),Le droit d'accès, Berne 2021 (CL 74), p. 38 et ss.

[4]D’Errico Luca, Répondre à une demande de droit d’accès – aspects pratiques,dans: Métille Sylvain (éd.), Ledroit d'accès, Berne 2021 (= CL 74), p. 123 et ss.

[5]Ibidem, p. 125 et ss.

[6] Husi-Stämpfli Sandra, dans: BaeriswylBruno/Pärli Kurt (éd.),Datenschutzgesetz (DSG), Berne 2015, Art. 9 N 2.

[7] ATF 144 I 126 cons.8.3.7.

[8] GRAMIGNA/MAURER-LAMBROU, in Basler Kommentar, Datenschutzgesetz, Öffentlichkeitsgesetz,3e éd. 2014, n° 8 ad art. 9 LPD; ROSENTHAL, op. cit., n° 4 ad art. 9 LPD; CEREGATO/MÜLLER, op. cit., ch. II/2.2.1.

[9]Arrêt du Tribunal fédéral 4A_125/2020 du 10 décembre 2020.

[10]MeierPhilippe, Protection des données, Fondements, principes généraux et droitprivé, Berne 2010, p. 231.

[11] Ibidem.

[12]Montavon/Ballenegger/Reichlin/Dapples/Maillard/Montavon, op. cit., p. 110.

Pierre Antoine Keiser
Pierre Antoine Keiser
Associate