Covid-19 and Data Protection Issues in Switzerland, by Alexia Pato

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to Blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder-Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Note: Hyperlinks to materials drafted in English are provided where possible. However, some official documents are only available in French or German. This blogpost was last amended on 3 July 2020.

Epidemiological Situation in Switzerland

On 1 July 2020, the Swiss Federal Office of Public Health (FOPH) reported 31,851 cases of infection and 1,685 coronavirus-related deaths since the start of the pandemic (the report is available here). It is worth highlighting that Switzerland has one of the highest rates of Covid-19 cases per capita, along with Spain and Italy. The most affected regions of the country are the cantons of Vaud, Geneva and Zurich (click here to see the evolution of the figures region by region). Note that there might be a gap between the official figures and reality, since people are not systematically tested in Switzerland. At the end of April 2020, the easing of lockdown restrictions started; today, the borders of Switzerland are opened to travellers coming from Schengen countries and gatherings of up to 1,000 people are allowed as of 22 June 2020. Nevertheless, the situation worsened at the end of May, as the FOPH announced that the number of newly infected cases was dangerously rising.

Legal Data Protection Framework

The right to data protection is enshrined in Article 13(2) of the Swiss Federal Constitution, which states that “[e]very person has the right to be protected against the misuse of their personal data”. At the federal level, the Federal Data Protection Act (FADP) of 1993 and the accompanying Ordinance regulate the protection of data between private persons, as well as between private persons and the state. The federal framework is completed by cantonal legislation.

The FADP applies to the “processing” of “personal data” – both defined broadly – pertaining to natural and legal persons by private bodies and public authorities. There is no general prohibition to process personal data in Switzerland. That being said, in order for the processing to be lawful, both private and public persons must comply with the principles embedded at Article 4 FADP:

Lawfulness (the data is not obtained under duress or by fraud, for example);
Good faith (the data subject is informed of the processing and the latter does not take place against his/her will);
Proportionality (only data essential to the processing are collected);
Transparency (the collection of personal data and the purpose of processing must be evident to the data subject);
Purpose limitation (the purpose that is specified or agreed upon at the time of collection can be clearly deduced from the circumstances at the time of collection or is provided for by law).

Additional explanations may be found in the Guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC) (available here and here).

Article 12(2) FADP establishes a presumption, whereby the violation of one (or more) of those principles constitutes a breach of personality rights (Article 15 FADP and Articles 28 ff. of the Swiss Civil Code). Nevertheless, the person responsible for the processing may oppose a justified motive (Aritcle 13 FADP): processing is allowed if the data subject gives his/her consent, if there is an overriding private or public interest or if the law allows it. As a result, and by way of example, according to the FDPIC, asking for people’s name in restaurants in times of pandemic can only be made on a voluntary basis, as no legal provision exists to impose such a measure (see by contrast in Germany).

As far as public authorities are concerned, they can only process personal data if authorised by law (see Article 17 FADP and the few exceptions of Article 19 FADP). During the pandemic, authorities have relied on section 2 of the Federal Act on Epidemics (EpidA) in order to justify the processing of personal – often sensitive – data. Where needed, additional legislation may be enacted by the Parliament (Article 165 of the Swiss Constitution) and the Federal Council (Articles 185(3) of the Swiss Constitution and 7 EpidA). For an excellent analysis regarding the exercise of those competences, see F. Uhlmann, “Concentration of Powers in the Federal Executive: The Application of Emergency Powers in Switzerland” on the Verfassungsblog.

Note that a reform of the FADP is pending. The amendment of that law will bring it closer to the European General Data Protection Regulation. For more information on this reform, see the instructive report of pwc, as well as the explanations of A. Amiguet and P. Fisher “Changement de paradigme en matière de protection des données”.

Selected Security Issues

The next paragraphs comment on two recent, heavily discussed initiatives, the purpose of which is to control the spread of the pandemic. Both initiatives pose important data protection-related questions.

Proximity Tracing Application

On 24 June 2020, a proximity tracing application (Swiss Proximity Tracing system, also called Swiss PT or SwissCovid) was launched in Switzerland.

The Swiss PT works as follows: Swiss residents may voluntarily download an application (SwissCovid) on their smartphone, which then registers contacts with other devices in a perimeter of less than 2 meters and for more than 15 minutes via Bluetooth. To be more precise, two smartphones equipped with the tracing application exchange random identifiers when they are in contact and store the information on the users’ phone. When a person tests positive for the coronavirus, the laboratory reports the test results to the cantonal health services, in accordance with Article 27 EpidA. That service subsequently sends a code to the person infected, which he/she has to enter in the app in order to generate an automatic notification to all the smartphones that have been in the vicinity of the device (it is possible to trace contacts back through the exchange of identifiers). It is claimed that the Swiss PT system guarantees the anonymity of the users, although this fact is disputed by some (notably, see X. Bonnetain et al., Le traçage anonyme, dangereux oxymore : Analyse de risques à destination des non-spécialistes).

As mentioned in the previous section, public authorities need to be authorised by law in order to process personal data (Article 17 FADP). Accordingly, on 19 June 2020, the Swiss Parliament adopted Article 60a EpidA (accompanied by an Ordinance of the Federal Council and a Data Protection Statement of the FOPH) that enables the FOPH to run the Swiss PT until 30 June 2022, which is a relatively long time period. That provision settles important data protection-related questions. Notably, it makes clear that no localisation data is registered under the Swiss PT: indeed, the system is designed based on the so-called Tracing (DP-3T), whereby data are stored on phones rather than on an external, central server, which would offer less security (on that point, see S. Rossello and P. Dewitte, “Anonymization by decentralization? The case of COVID-19 contact tracing apps” on the Europeanlawblog). In all cases, the collected data is erased after 14 days. Also, Article 60a EpidA expressly states that the Swiss PT system and the data may not be used for a purpose other than informing users about potential contacts with infected persons; in particular, they cannot be exploited by the police, the criminal authorities or the intelligence services.

Despite the relatively strong data protection guarantees offered by the Swiss PT, important questions remain open.

In a report assessing the security level of the Swiss PT system, the Computer Emergency Response Team (GovCERT) of the Swiss government and the Federal Office of Information, Technology, Systems and Telecommunication state that the overall system is “robust” and “has reached a good state in terms of security and privacy”. Nevertheless, the report highlights two (medium level) security risks regarding the supporting systems: “One is the overall security of the smartphone, such as revealing the identity by the name of the device (“Max Muster’s Iphone”) or by outdated OS versions with known vulnerabilities, especially in the Bluetooth stack. Another noteworthy risk are the devices of medical staff. If such a device gets infected, an attacker might generate authentication codes and could potentially flood the system with wrong infection data”. Along the same line of reasoning, see the critical assessment of P.-O. Dehaye and J. Reardon, “SwissCovid: A Critical Analysis of Risk Assessment by Swiss Authorities”.

Another source of concern is that the APIs from Google and Apple were used to develop the Swiss tracing application. Considering that the decentralised system is not without flaws, it appears advisable to inform people about the exact data collected by the two companies in light of the principle of transparency.

Finally, in order to effectively fight the pandemic, at least two third of the population would have to download and use the application. However, since this might not happen (on 30 June, 970,485 phones out of approximately 10-11 million had downloaded the app), the principle of proportionality challenges the setup of the Swiss PT. In other words, one may wonder whether the tracing application is able to properly fulfil its goal.

The Mobility Insights Platform

The Swiss telecommunication company “Swisscom” has recently launched its Mobility Insights Platform (MIP), the purpose of which is to analyse movements and gatherings of people in Switzerland during the pandemic and examine whether social distancing measures (embedded in the Ordinance 2 on Measures to Combat the Coronavirus) are effective. After the collected personal data are anonymised, they are transferred to the FOPH for analysis. The visualisations sent by Swisscom identify areas measuring 100 by 100 metres where at least 20 SIM cards are present. Hence, no geolocation of individual users is possible. Importantly, the information received by the FOPH is based on data collected the day before, in order to impede the control of compliance with the law and subsequent fines. For an interesting critique of the MIP in light of the principle of transparency, see M. Steiger, “Standortdaten gegen COVID-19: Wo bleibt die Transparenz?”.

The collection of location data by Swisscom is allowed pursuant to Article 45(b) of the Telecommunications Act (TeleA). That provision reads: “Providers of telecommunications services may process data concerning locations of customers only for the telecommunications services and charging purposes; they may only process it for other services if they have first obtained the consent of customers, or in anonymised form”.

In the opinion of the FDPIC (which can be downloaded here), Article 45(b) TeleA allows the processing of location data in a different way than for telecommunications services and their billing if the data has been anonymised. Accordingly, data processing by Swisscom and the subsequent transfer of anonymous data to the FOPH is permitted under data protection law. Such an extensive interpretation is arguable: Article 45(b) TeleA allows the use of anonymised data for the offer of other services than the ones already provided. The transfer of data to a third party (here, the FOPH) is a different situation that does not seem to be encompassed within that provision. In any case, Swisscom declares that users may opt out from the sharing of data by updating their privacy settings (which indicates that the principle of privacy by design does not lie at the centre of the MIP initiative). One could argue that this question is unimportant as the collected data is anonymised anyway. Nevertheless, technology has its flaws and anonymisation is not always guaranteed.

Conclusion

The legal measures carried out by the Swiss government in order to fight the pandemic are certainly welcome. Additionally, public authorities facilitate access to relevant documents and often provide for clear and simple explanations. Nevertheless, this post highlights that some improvements could be made in order to fully comply with the principles of transparency and proportionality.

Alexia Pato is Senior Research Fellow at the University of Bonn (Germany) and co-editor of Blogdroiteuropeen.