The data protection of the future

Data protection is ultimately about protecting privacy, particularly in the digitalized world of the future. According to Article 13 of the Federal Constitution, everyone has a claim to this fundamental right, which is also rooted in Article 8 of the European Convention on Human Rights (ECHR).

On September 15, 2017, the Federal Council released a dispatch aiming to adapt data pro-tection to the internet era and strengthen the position of citizens. In Article 4 Letter f, the draft mentions profiling. The definition of this term largely corresponds to that of the EU General Data Protection Regulation (Art. 4 Para. 4 EU GDPR). Profiling of individuals re-quires individuation; for example, to distinguish between people with the same name. The easier this individuation is, the greater the threat to privacy.

The simplest means of distinguishing between individuals is their date of birth. We consider the current handling of dates of birth to be a matter of serious concern. For example, in ref-erence to the theft of data in fall 2017, the Head of Communications at Swisscom said that: “An unknown party [...] gain[ed] unlawful access to [...] the names [...] and dates of birth of customers. This information is classed as ‘non-sensitive personal data’ under data privacy laws.” The February 7, 2018 press release also mentioned that sensitive data such as pass-words was not affected.

Dates of birth should be considered sensitive, as they simplify profiling over the long term. In general, we recommend distinguishing between personal data that is of a permanent na-ture, and that which is easy to change. Permanent data is sensitive in the long term, as its accumulation can affect privacy. If a large number of parties make what is, subjectively speaking, relatively impersonal data available, the sum total of the data may nonetheless have grave consequences for the individual in question.

Permanent personal data includes names, dates and places of birth and biometric character-istics. This data cannot be changed, or is very difficult to change, and significant importance should be attached to its protection and recoverability in data privacy laws. Passwords do not represent a long-term issue, as these can be changed at any time, unlike one’s date of birth.

In order to prevent misuse of permanent personal data, it could be stipulated that this data may only be processed if relevant information regarding its origins is available. Similar compulsory declarations are already in place for food. In addition, rights to information should come with the obligation not only to inform affected individuals about the data avail-able, but also to disclose with whom it will be shared. As with open-source software licenses, these origin/destination obligations should also be passed on to the recipients of the data. This would reduce the flows of information most susceptible to misuse and reinforce privacy.

Complete Revision of the Federal Data Protection Act

The complete revision's draft of the Federal Data Protection Act is currently in political consultation. Data Protection is to be increased by giving people more control over their private data as well as reinforcing transparancy regarding the handling of confidential data.

Links: draft, report

Eurospider Information Technology AG
Schaffhauserstrasse 18
8006 Zürich

 

Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information Ok Decline