ANALYSIS: Swiss Federal Court Decisions Raise Threshold For Justification Of Data Processing
By Nicolas Passadelis, of Baker & McKenzie, Zurich.
Recent case law by the Federal Courts has materially increased the threshold for justifying data processing under Swiss law.
Justification is required, for example, if the general data processing principles set forth in Article 4 of the Federal Data Protection Act (DPA) are not met.
To comply with Article 4 DPA, personal data must, in particular, be processed:
- in compliance with all Swiss legal requirements outside the DPA (Article 4 paragraph 1 DPA);
- in good faith and proportionately (Article 4 paragraph 2 DPA);
- only for the purpose which 1) was indicated at the time the data were collected; 2) was evident from the circumstances; or 3) was legally required (Article 4 paragraph 3 DPA); and
- only if the collection of personal data as such and the purpose of the collection were already evident to the data subject at the time of collection (Article 4 paragraph 4 DPA).
Article 13 DPA lists the possible grounds for justification. Data processing in violation of Article 4 DPA can be justified if 1) the processing is justified by law; 2) the processing is justified by a prevailing public or private interest; or 3) the data subject consented to the processing. The possibility of justifying data processing based on a prevailing interest is important in cases where it is not possible or commercially efficient to obtain prior consent.
Federal Supreme Court Ruling
The restrictive jurisprudence on justification was shaped by the Federal Supreme Court (“Supreme Court”) in its ruling of September 8, 2010 (BGE 1C_285/2009).
The Supreme Court ruled on an appeal by a Swiss service provider offering software that can be used to collect the internet protocol (IP) addresses and other non-sensitive data of users offering copyright protected works for download by other users on peer-to-peer (“P2P”) networks. The collected data were subsequently sold to the copyright owners, who filed a criminal action against P2P users for having uploaded the copyrighted works. Uploading copyrighted works (contrary to downloading) is unlawful under the Swiss Copyright Act.
Therefore, the prosecution authorities initiated a criminal investigation and identified the relevant users based on the IP addresses used for uploading the copyrighted works. The copyright owners relied on their statutory right to access the investigation files to learn the users’ names and addresses and to claim damages from them for copyright infringement.
Contrary to the Federal Administrative Court (“Administrative Court”), which had found the service provider’s data collection activities lawful under Swiss data protection law (A-3144/2008), the Supreme Court ruled differently.
The Supreme Court found that the service provider had violated several data protection principles because the purpose of the data processing was not evident to the P2P users at the time of collection and because their personal data were being used for another purpose than was evident at the time of collection. While admitting that, in principle, violations of the data protection principles could be justified by a prevailing interest of the data controller or third parties such as the copyright owners, the Court ruled that neither the service provider’s interest in undertaking a commercial activity nor the copyright owner’s interest in tracking down potential copyright infringers was sufficient to outweigh the fact that internet users should not be confronted with covert data processing.
The ruling resulted in protecting potential copyright infringers based on the application of data protection rules from criminal prosecution and claims for damages by the copyright owners.
Application in Google Street View Case
This case law was subsequently applied by the Administrative Court in the Google Street View case, which dates back to 2009…