The annual report also includes an external perspective on the OA-IA’s activities. In keeping with the theme of this report’s focus on information systems, Adrian Lobsiger presents his personal view of matters.
Opportunities and risks of digital transformation
The Secret Files Scandal in 1989 caused an abrupt loss of confidence among the Swiss public in the national security service. Once the scandal concerning mass surveillance by the federal police (then known as ‘BUPO’) had been investigated and processed, politicians demanded that the many different tasks conducted by this security service be disentangled. In the face of a political initiative to completely abolish the national security service, which was only ru – dimentarily regulated at the time, the Federal Council and Parliament launched a process to introduce some controls. A referendum held in 1998 permitted the continuation of national security activities and formally regulated them in law. In a second referendum in 2016, the current IntelSA was adopted, authorising the FIS to acquire personal data not only by (mainly) covert but also by coercive means. The ban on the use of coercive means having been re – moved, Parliament set up an independent oversight authority exclusively for the FIS.
Even though opinions about intelligence surveillance still differ, its critics must concede that, since the introduction of the IntelSA, data processing by national security services is based on a law that is clear and sufficiently specific. In contrast, much still needs to be done before we have clear legislation on the equally highly sensitive processing of personal data by other fed – eral security authorities. For example, data processing by fedpol and the Swiss Border Guard is based on a large and growing number of special provisions scattered throughout various pieces of legislation. Furthermore, the federal security authorities have launched a number of wide-ranging projects for digital transformation which make it even more difficult for the gen – eral public to understand how the law handles the processing of personal data. Because these projects can have far-reaching consequences for the processing of personal data, the federal data protection oversight authority is working to ensure that processes are fully recorded and analysed at the planning stage in data protection impact assessments.
In its strategy for digital transformation in the administration, the Federal Council has called for traditional forms of living and doing business together to be questioned and rethought, and for an expansion of digital skills that enable networking and data-sharing between all stakeholders. Words create images, and so some promoters of digital transformation see in their mind’s eye a cloud from which police forces, border guards and intelligence services draw information for the benefit of all law-abiding people who have nothing to hide.
The antithesis of this vision is the much frowned-upon keeping of data in ‘silos’, seen by digital transformation proponents as the relic of an outdated way of thinking that – as some would claim – is typical of a system of data protection that favours perpetrators instead of protecting citizens. The fact that each canton has a police force that processes the personal data accru – ing there on its own responsibility and usually only shares it with other security authorities upon request leads these visionaries to shake their heads, as does the fact that the federal government distributes its police power among three federal offices. As sworn opponents of data silos, they feel aggrieved by this state of affairs, and in order to bring about long-overdue change, are pushing for all security authorities to be linked as far as technically feasible.
If one disregards the historical events that led the writers of the Constitution to organise communities federally and to divide centralised power, it is difficult to understand the rationality of complex data flows among the state security authorities. However, if the historical context is taken into account, it can be seen that Switzerland’s internal security system has emerged from a sequence of decisions made by its political institutions and shaped directly by the public in popular votes and referendums. This is what happened, for example, in 1978 with the successful referendum against the creation of a federal security police authority; to this day, this veto against a central security authority at federal level has not been revoked.
A new way of thinking that sees the digital availability of personal data as the measure of all things and ignores political concepts to limit state power takes us backwards, not forward. It takes us back to the police state, which was abolished when absolutist aristocracies were overcome in the bourgeois revolutions of the 18th and 19th centuries. When the omnipotent power structures of the ancien régime were dismantled and replaced by specialised offices, this greatly helped to transform the police state into a public service and to turn subjects into self-confident citizens who, in return for paying taxes, could demand professional and discreet services from these offices.
Legal procedures govern the way these specialised offices share the data they hold on citizens, and this forms part of the professionalism demanded of them. That the Federal Administration now prepares factual data in a machine-readable form and makes it usable across departments and offices is also an expression of this professionalism. It also records master data and personal attributes according to the so-called once-only principle and manages them using uniform identifiers such as the AHV number. Data protection does not stand in the way of digitalisation processes, which make public services more efficient, especially since these processes can also help to improve data quality.
Yet should anyone try to create a kind of cloud of non-transparent networks, from which the security authorities, tax investigators and other agencies of the ‘interventionist administration’ could extract all the data that accumulates when members of the public interact with the public authorities, this would set them on a collision course with data protection standards. Such a data grab would soon stink to high heaven and poison public trust in the state’s role as a public service and guarantor of the rule of law. To prevent this, the Federal Data Protection and Information Commissioner requires those responsible for digital transformation projects to declare in the data protection impact assessments the scope and intensity of future data processing and to state the entities authorised to access the data and make a comparison with the status quo. Any planned extension or intensification of existing personal data processing activities must be justified.
The federal offices sometimes argue that digital transformation projects must be planned in an ‘agile’ manner because of the rapid pace of technical progress. They claim that it is therefore not possible to define future data processing definitively, or to compare it with the status quo. Such arguments are untenable; they are tantamount to giving the Federal Administration blanket authorisation, since neither the political bodies that are responsible for official interventions in the private sphere of the general public nor the general public themselves can assess what ‘agile’ risks might be. The Federal Data Protection and Information Commissioner repeatedly sees it as his duty to ensure that data protection impact assessments are detailed and extensive before their results are included in the dispatches in which the Federal Council proposes to Parliament amendments to security legislation.
In view of the challenges described above, the Commissioner considers himself fortunate that his work in the intelligence field is complemented in a purposeful manner by the independent FIS oversight authority.
Adrian Lobsiger(*1959)
After his studies in Bern and Basel, Adrian Lobsiger, born on 27 December 1959, obtained a master’s degree in European law from the University of Exeter (GB). In 1992, he began his career in the field of international pri – vate law at the Federal Office of Justice. In 1995, he joined the Federal Office of Police (fedpol), where he became deputy director.
Adrian Lobsiger was elected by the Federal Council in November 2015 and confirmed by Parliament in March 2016. He has been in office since June 2016. At its meeting on 10 April 2019, the Federal Council confirmed the re-election of Adrian Lobsiger as Federal Data Protection and Information Commissioner (FDPIC) for a second term of office until the end of 2023.