We have structured privacy and security-related topics into different sections to make it easier for you to find the information you want. If you need something specific that you are missing, please drop us a line at [email protected].
In today’s globalized and digitized world, data plays a prominent role. This is why data is partly understood to be the most valuable resource of the 21st century. Personal data is at the center of this and is used today in many different ways. For example, in economic terms, personal data has a material value; they are used to analyze consumer behavior and adapt advertising strategies. For this purpose, entire personality profiles are created, which contain extensive information and can include every detail of a person.1
Likewise, personal data can also be used by employers to determine the work behavior of their employees, for example, to increase efficiency. Therefore, such data’s benefits are enormous, and their value is often underestimated.
This makes data protection all the more important. But what does data protection actually mean, and is there a definition?
First and foremost, data protection means the right of a person to have their personal data protected. Data protection can be viewed from different perspectives and contains several sub-contents. One part of data protection law is the so-called informational self-determination. In this context, a person has the right to determine what happens to their data, i.e., to decide who can collect, store, access, or otherwise process it. Data protection thus also includes protection against misuse in data processing, whereby a person is protected against unjustified processing of their data. Data protection is, therefore, part of the right to privacy and the right to protection of personality.
Thus, there are always two interests at stake. On the one hand, a data controller, i.e., someone responsible for processing data, is interested in this processing (for example, economic interest or for reasons of expressing an opinion). On the other hand, the data subject whose data are processed is interested in protecting them.
It is helpful to take a closer look at the history of its development to obtain a comprehensive picture of data protection in general. Particularly with the abundance of legal foundations, it is often difficult to find an introduction to the topic, which is why a cross-section of the history should help here.
With the end of the Second World War and the atrocities that took place during it, a need arose, particularly in Europe, to enshrine the individual’s fundamental rights. The Universal Declaration of Human Rights (UDHR), adopted by the United Nations General Assembly on December 10, 1948, expresses this need. As a declaration, the UDHR is not legally binding, but its creation was a milestone in developing human rights worldwide. In Europe, to implement the ideals of the UDHR, the European Convention on Human Rights (ECHR) was signed on November 4, 1950. As a treaty under international law, the ECHR binds the 46 members of the Council of Europe. It includes all member states of the EU and almost all European countries (except for Belarus and Russia).
The UDHR and the ECHR, firmly based on the former, cover the right to a private life (Art. 12 UDHR and Art. 8 ECHR). Personal data protection is also derived from this right to private life and privacy (see above). This protection is based on the fact that personal data, in particular, were also used to perpetrate the crimes of World War II.
In the course of the 20th century, the importance of data protection grew steadily. As the power of computers improved, the volume of data that could be processed increased. While initially there were only a handful of computers in the world, computers also spread rapidly, so that soon everyone owned a PC, and today everyone carries a smartphone. With today’s services, such as cloud computing and the like, data flow and processing are becoming more complex, so privacy and data protection are also becoming more complex and challenging to comply with.
To address these developments, the first efforts to ensure data protection emerged in the 1980s. In addition to the from OECD formulated non-binding Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Council of Europe agreed to the European Convention on Data Protection (Convention ETS 108). With this, the signatory states committed themselves to implementing the principles of the Convention into their national law. The aim was to create a uniform data protection level and regulate cross-border data traffic. However, ETS 108 was ratified only sporadically by certain states, and often a fragmentary approach was taken. In light of this, in the 1990s, the EU adopted Directive 95/46/EC to protect individuals concerning the processing of personal data and the free movement of such data. By doing so, EU member states committed to ensuring the minimum standards described therein through national law.
The General Data Protection Regulation (GDPR) has been in force since May 25, 2018. The EU regulation replaces Directive 95/46/EC and standardizes the protection of personal data and data traffic in the European internal market. To also bring non-EU countries in line with the new legal standard and to reflect the technological developments of the last years and decades, ETS 108 was revised to become the so-called ETS 108+. Adoption and ratification are open to each country. However, since too few countries have ratified the new version, it will delay its entry into force until the fall of 2023. 3
As in so many areas of law, such a consensus definition as the one above often does not conclusively address all of the questions one might have regarding the subject. In particular, questions arise such as: What is personal data? What does data processing mean? And who all counts as a protected person? In addition, there are always differences due to the different legal opinions and interpretations of the various worldwide countries. The EU’s General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP) are particularly relevant here. Despite any differences, it is essential to explain some important terms for the necessary basic understanding:
Data protection is the protection of personal data. But what is personal data, and what can be understood by the term? The GDPR defines personal data in Art. 4 as: “any information relating to an identified or identifiable natural person.” The DSG defines personal data as: “any information relating to an identified or identifiable person” (Art. 3 lit. a FADP or Art. 5 lit. a revFADP). From this, you can quickly see that the term is enormously broad. The term “any information” is to be understood literally. Thus, everything from a person’s name to their whereabouts to information about their last online order falls under the term “personal data.” The decisive factor is that information is connected to a specific or identifiable person so that the data can be assigned to a person. For example, data on the average size of a population is not yet personal data. However, suppose it is possible to deduce who is how tall in a township because the data can be assigned to a person. In that case, it is considered personal data.
Equally important is the question of who is protected by data protection. Here the first differences between Swiss and European data protection laws exist. While the GDPR talks about natural persons, i.e., all individuals, the DPA currently also protects legal entities, i.e., companies and corporations. In any case, natural persons are protected under both laws. With the revision of the DPA, however, this will change. In the future, only natural persons will be protected in Switzerland (Art. 5 lit. b revDSG). Regardless of the legal system, however, the following applies in principle: every individual is protected.
Data protection thus protects natural persons and their personal data. So what still needs to be explained is what they are being protected from. Again, the definitions of the GDPR and the DPA are very similar. While the GDPR defines processing as “any […] operation or set of operations involving personal data […], the DPA defines processing as “any handling of personal data […]”. According to these broad definitions, data processing is to be understood. Thus, if data are processed, stored, or deleted in any way, data processing occurs.
Against this background, the question now arises when personal data can be processed and when not. Can data never or always be processed, or are there justifications or limits? Is it possible to process data beyond the will of a data subject, and how can this be reconciled with the individual’s right to personal protection? At this point, at the latest, the various legal systems must be considered separately concerning data protection law.
The decisive feature of the GDPR is that any processing of personal data must meet one of six conditions for it to be lawful. The starting point is thus that data processing is in principle not allowed unless it can be justified. Justifying conditions are:
The data subject whose personal data is processed for a specific purpose has given their consent to this. Permission must be given voluntarily, be distinguishable from other matters, be intelligible, and have been shown in clear and plain language.
Data processing may be necessary to fulfill a contract. For example, a company must process a customer’s data to provide a service.
It must be a legal obligation imposed by EU law or by the law of an EU member state. Invoking a contractual duty or an obligation set by the law of a third country is not sufficient.
Data processing is necessary to ensure the survival of the individual. This condition should only be a legitimate basis in absolute emergencies. An example of this is obtaining information about the blood type of an unresponsive person to perform a life-saving blood transfusion.
A Public interest, which the legislator could also define, requires data processing.
A legitimate interest can only justify data processing if the interests or fundamental rights and freedoms of the data subject in protecting their data do not prevail. A balancing of interests must be carried out between the data subject’s interests in protection and the controller’s interests. Since the interests of the data subjects are usually weighted more heavily, this condition is considered a catch-all justification if no other applies.
Without one of the conditions above, data processing is never lawful under the GDPR and may be punished with heavy fines.
Data protection law in Switzerland is currently changing. The presently applicable DPA has been completely revised, and the new version is expected to enter into force on September 1, 2023. The revision has several objectives. First and foremost, technological and societal changes are to be faced. In particular, self-determination and transparency in data processing are to be strengthened. The revision is also a response to the legal development of data protection in the EU and Europe. Thus, the ratification of Convention 108+ (see above) is to be made possible, the Schengen-relevant Directive (EU) 2016/680 on data protection in criminal matters is to be implemented, and there is to be an adjustment toward the GDPR. Without this change, the EU would no longer recognize Switzerland as a third country with a sufficient data protection level in the future. 5
As part of the Council of Europe, Switzerland has also ratified the ECHR and is bound by the fundamental rights enshrined therein. In parallel, the Swiss Federal Constitution also protects personal freedom and privacy and against misuse of personal data in its catalog of fundamental rights. Thus, the FADP is an expression and implementation of these fundamental and human rights.
Compared to the GDPR, Switzerland’s current FADP takes a somewhat opposite approach to when data processing is allowed and when it is not. Instead of prohibiting data processing in principle and allowing it using justification grounds, the FADP provides that the processing of data is permitted provided that it does not unlawfully infringe the personality of the data subject. However, the FADP also requires a justification ground in the form of consent of an overriding private or public interest or a law so that data processing does not constitute an unlawful violation of personality. However, the crucial difference between the GDPR and FADP is the starting point and the initial presumption.
In Germany, data protection has been considered a fundamental right at the national level since the 1983 census ruling as part of informational self-determination. This is derived from the general right of personality and human dignity. As an EU member state, Germany is, of course, subject to the GDPR. It is supplemented by the Federal Data Protection Act (BDSG) and the state data protection laws. 6
As a topic closely linked to our globalized and digitized world, it is hardly possible to consider data protection in isolation on a country-specific basis. Large companies operate internationally and must comply with the respective laws of the countries in which they operate. As a result, international data traffic and the relevant regulations also play a prominent role. Many global technology companies that process data on a large scale come from the USA. A look at data protection there is therefore unavoidable.
Data protection in the USA is fundamentally different from that in Europe. Whereas data protection is enshrined here as a fundamental right on several occasions, and there is Europe-wide standardization through the GDPR, there is downright talk of a patchwork of data protection laws in the USA. 7 One origin is the Griswold vs. Connecticut ruling from 1965, in which the right to privacy was declared constitutional protected. 8 Nevertheless, this right concerning personal data has been covered only fragmentarily and implemented only weakly in law.
Depending on who processes data, other federal laws are relevant. Regarding data processing by public authorities, citizens have certain rights under the Privacy Act of 1974, for example, the right to inspect stored data. In addition, the USA PATRIOT Act has been in force since 2001, enabling the US government and its authorities to process personal data in the event of even vague suspicion of terrorism. It is particularly problematic that, in addition to US companies, their subsidiaries abroad are also obliged to hand over data. This circumstance is leading to enormous conflicts, as the release of this data may be prohibited in the respective countries. 9
However, if private parties process data, other legal bases may be relevant for data protection. In particular, the Federal Trade Commission (FTC) Act is worth mentioning. As a competition authority, the FTC is tasked with protecting a fair and equitable market on the one hand. On the other hand, it is also responsible for consumer protection. 10 If a company deviates from its privacy notices and policies, the FTC can take action, as such deviation can be seen as misleading and unfair competition. Thus, companies will be held accountable for violations of their regulations.
Some specific regulations, such as the Children’s Online Protection of Privacy Act (COPPA) or the Health Insurance Portability and Accountability Act (HIPAA), were created for specific subsectors’ privacy regulations.
At the state level, only California has a comprehensive privacy law (California Consumer Privacy Act; CCPA). It guarantees consumers certain rights, e.g., to inspect and delete their data, and obligates companies to take certain security precautions when handling personal data. With the CCPA and the GDPR as a model, other states are beginning to follow suit in data protection. However, adequate protection still remains low. 11
2 Entstehungsdaten etc. von wikipedia.org; Zusammenhang zum Datenschutz vom IAPP Trainin 3 href="https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=223">Full list (coe.int) 4 Definitionen und Erklärungen von IAPP 5 Stärkung des Datenschutzes (admin.ch) 6 BfDI - Basiswissen zum Datenschutz - Die Grundlagen des Datenschutzrechts (bund.de) 7 Die Grundlagen des Datenschutzes in den USA (infosec.ch) 8 Griswold v. Connecticut – Wikipedia 9 USA PATRIOT Act – Wikipedia 10 About the FTC | Federal Trade Commission & Federal Trade Commission – Wikipedia 11 The Fundamentals of Data Privacy in America (globalbankingandfinance.com)