-
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
- Art. 808c CO
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. f und g FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
FEDERAL CONSTITUTION
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
In a nutshell
As the cornerstone of data processing by state bodies, the requirement of a legal principle is of primary importance.
For data processing by federal bodies, Art. 34 FADP illustrates both Art. 5 FC, according to which all state action requires a basis in law, and Art. 36 FC, which sets out the requirements for fundamental rights interventions in general; the provision thus constitutes concretized constitutional law. The processing of personal data by public bodies constitutes an interference with the fundamental right to protection of informational self-determination under Article 13 para. 2 FC; depending on the context, a wide variety of other fundamental rights may also be affected. Art. 34 FADP schematically expresses the required norm level.
The new provision on the legal basis, which is unbundled compared to the previous version of the same norm, reflects the increased importance of the correct legal support of data processing by state bodies in the age of digital processing of large amounts of data.
I. general
A. preliminary remarks
1 A legal basis is a generally abstract norm issued by a competent state body. In detail, the applicable law determines which requirements a legal basis must meet. At the federal level, specifications in this regard can be found, for example, in the Federal Constitution (Art. 164 FC) or in parliamentary law (e.g. Art. 22 ParlG). The norm that serves as the legal basis in the individual case may originate from national or international law.
2 The terminology used in connection with the principle of legality shows a certain heterogeneity. In the following, for the requirement of a general-abstract regulation, referred to in Art. 34 FADP as "legal basis", the general term of the legal principle is also used. Furthermore, the law enacted by the legislature is described by the term "legal form" or "law in the formal sense". Lower-level enactments are considered "laws in the substantive sense" , as also expressed in Art. 34 para. 3 FADP.
B. purpose and background
3 Article 34 FADP specifies for data protection law what already applies to state action: in addition to the general principle of legality of Article 5 para. 1 FC, according to which the law forms the basis and barrier of state action, Article 36 para. 1 FC requires a legal basis for encroachments on fundamental rights. Art. 34 FADP provides schematic guidelines on the normative level for various types of data processing - and thus for various encroachments on fundamental rights, first and foremost encroachments on the fundamental right to informational self-determination (Art. 13 para. 2 FC).
C. history of origins
4 The Federal Council's draft of the first federal data protection law from 1988 already contained a provision that was similar to the one commented on here; in particular, a distinction was already made between the processing of ordinary personal data and data requiring a higher level of protection in the form of personal data requiring special protection and personality profiles. The predecessor provision Art. 17 aDSG, which has been modified in the meantime, provided for the basic principle of the legal basis and also stipulated exceptions, the scope of which was not very clear and accordingly gave rise to criticism.
5 The new provision makes a structural unbundling; in addition to the unchanged basic principle (para. 1), it clearly distinguishes between the requirement of legal form (para. 2), situations with a lowered normative level (para. 3) and situations in which the requirement of a legal principle can be completely deviated from (para. 4).
II. the principle of legality in data protection
A. role and functions of the principle of legality in general
1. legal basis as a prerequisite for interference with fundamental rights and as a principle of state action
6 In the processing of personal data by state authorities, encroachments on positions protected by fundamental rights take place: First and foremost, this concerns Art. 13 FC and specifically its para. 2 (fundamental right to "informational self-determination") as well as Art. 8 ECHR and Art. 17 UN Covenant II. What is protected is not only, contrary to the wording of Art. 13 para. 2 FC, the protection against misuse of personal data, but the private sphere, insofar as it also includes data about the respective person. In addition, a wide variety of other fundamental rights may be affected, including the right to personal freedom (Art. 10 para. 2 FC) and freedom of expression (Art. 16 FC), especially with increasing digitization, in which every state activity is accompanied by data processing.
7In Art. 36 para. 1, the Federal Constitution provides that restrictions of fundamental rights require a legal basis; serious restrictions must be provided for in law, unless there is a case of "serious, imminent danger that cannot be averted in any other way". Furthermore, restrictions on fundamental rights must serve the implementation of a public interest and be proportionate; the core content of the fundamental right must be preserved (cf. criteria of Art. 36 FC).
8In its role as a principle of state action, Art. 5 para. 1 FC provides that state action requires a basis in law and, at the same time, it is law that sets limits to any state action ("barriers", in the words of the constitutional legislator). The administration - in the terminology of the FADP, the "federal body" - may therefore only act if there is a legal basis for it, and may only go as far as the action is covered by the relevant basis. This applies regardless of the legal nature of the state action, even if the requirements of the principle of legality take on different forms depending on the situation and the risk involved.
2. level and density of norms
9Article 36 para. 1 FC already indicates that the required legal sentence must meet heightened requirements in the case of serious restrictions of fundamental rights. The more serious the encroachment on fundamental rights, the higher the requirements for the level and density of the norm. Serious restrictions must be provided for in the law itself, i.e. in a law in the formal sense (norm level) and must take sufficient account of the requirement of certainty (norm density). At a minimum, legal norms must be formulated in each case "so precisely that those subject to the law can direct their conduct accordingly and recognize the consequences of certain conduct with a degree of certainty appropriate to the circumstances". In which case which condition of the legal norm is sufficient is often not easy to answer and depends strongly on the individual case. In the words of Tschannen/Müller/Kern: the principle of legality is "of unpleasant shorelessness". For federal law, Art. 164 FC at least provides an exemplary list of topics for which the basic provisions are considered important law-making provisions and must therefore be regulated in a law in the formal sense; these are:
Exercise of political rights;
Limitations of constitutional rights;
Rights and obligations of persons;
The group of persons liable to levies and the object and assessment of levies;
Duties and services of the Confederation;
Obligations of the Cantons in the implementation and enforcement of federal law;
Organization and procedures of the federal authorities.
10 For its part, doctrine proposes the following criteria for circumscribing the importance of a regulatory object:
Intensity of the interference;
Number of persons affected by a regulation or the life circumstances regulated;
financial importance;
Significance for political decision-making, the organization of state institutions or the procedure and
Explosiveness or acceptability of the issue.
11 The need for flexibility and rapid adaptation or special expertise, on the other hand, tend to speak in favor of regulations at a lower normative level.
12 These general requirements of the Federal Constitution must be taken into account when designing legal foundations in accordance with Art. 34 FADP. Art. 34 FADP specifies the required norm level for certain typified data protection situations, but not the norm density (see on norm density infra nos. 18-19). For the context of data protection that is of interest here, the focus from the catalogs cited above is on, among other things, the restriction of constitutional rights or the intensity of encroachments on fundamental rights, as well as provisions on the "rights and obligations of persons". With increasing digitization, however, the explosive nature of the issues is also increasingly playing a role as a criterion for the form of legislation, which is currently evident, for example, in the use of artificial intelligence or, more specifically, facial recognition in public spaces.
13 If legislative powers are to be delegated from the legislative to the executive, the general requirements of legislative delegation developed by case law and doctrine also come into play in data protection. Thus, the delegation of legislative powers may not be excluded by the relevant law (cf. Art. 164 para. 1 FC); the delegation norm must be contained in an enactment at the legislative level; the delegation must be limited to a specific subject matter and the main features of this subject matter must already be listed in the law.
B. requirement of the legal principle pursuant to Art. 34 FADP
1. basic principle para. 1
14 With the fundamental requirement of a legal principle, data processing by federal bodies is subject to a prohibition with reservation of permission; this is in contrast to data processing by private persons. The requirement applies regardless of the type of data processing (see the legal definition of processing in Art. 5 lit. d FADP; for the special case of disclosure, see Art. 36 FADP). Art. 34 FADP merely provides the basic principle; it cannot itself be used as a direct legal basis. Furthermore, para. 1 makes no statement as to the normative level at which the legal sentence is to be located or what normative density it must have.
15 Moreover, it follows from the systematics of the FADP that the remaining general provisions of the law, in particular the data processing principles of Art. 6 FADP and the provisions on security pursuant to Art. 8 FADP, apply cumulatively. Thus, for example, the existence of a legal basis does not exempt from the obligation to observe the principle of proportionality and to process only the data effectively required for the performance of the public task.
16 The legal text of Art. 34 FADP refers to the processing of personal data by federal bodies. With regard to the definition of federal body, Art. 5 lit. i FADP expresses that this covers not only the organizationally assigned units of the administration and public institutions of the Confederation, but also private individuals, provided they are entrusted with the performance of public tasks of the Confederation (see there).
17 Notwithstanding the indications on the normative level in para. 2-4, it is often not entirely clear in legislative practice what the normative density of the legal basis should be. This problem manifests itself, for example, in the question of whether a general ("indirect") legal basis is sufficient ("Office X fulfills the legal task Y") or whether a specific legal basis tailored to a certain data processing is required ("In order to process applications for subsidies, Office X processes the following personal data: ...", etc.).
18 On the question of the nature of the legal basis, the Federal Office of Justice has written a legislative guide that provides specific guidelines for legal bases in the area of data protection. Against the background of the functions of the principle of legality (see infra n. 43 ff.) and the postulate that the citizen should be able to direct her conduct in accordance with the relevant norm, the following elements must be regulated:
Which authority (who)
processes which categories of personal data (what),
for what purpose (why) and
in what way (how)?
To whom, if anyone, is personal data disclosed (to whom) and
in what way (how)?
19 In particular, it must be stated under what whether personal data requiring special protection are also processed and, if so, which categories (cf. Art. 5 lit. c FADP), whereas the precise attributes can be specified in an ordinance if the law is sufficiently dense. The more serious the encroachment on fundamental rights, the more detailed and precise the legal basis must be formulated, although in view of the rapid development of information and communication technologies, a certain flexibility in the formulation and an accompanying vagueness will sometimes have to be accepted. The processing also includes information on the retention period and deletion of the personal data.
20 To the extent that this provides the legal sentence with the transparency required by law vis-à-vis the data subjects, the obligation to provide information under Art. 19 FADP does not apply (cf. Art. 20 para. 1 lit. b FADP).
21 Special rules can be provided for in the respective substantive laws, which take precedence over the requirements of the FADP as lex specialis and, at least theoretically, can also deviate from them downwards. The Federal Supreme Court and doctrine assume, however, that the general principles of data protection law must still be observed in such cases.
2. legal form for cases under para. 2
22 The second paragraph requires the form of law (law in the formal sense) for cases in which the data processing may lead to a weighty encroachment on the fundamental rights of the persons concerned. Where the processing of personal data requiring special protection (lit. a) and profiling (lit. b) are concepts and terms defined in the FADP, para. 2 also provides a general clause that applies when either the purpose of the processing or the manner in which the data is processed may lead to a serious interference with the fundamental rights of the data subjects (lit. c). However, the requirement of the legal form for data processing with great relevance to fundamental rights already results from Art. 36 para. 1 FC, irrespective of which letter of para. 2 a matter is assigned to.
23 The two parameters of the objective and the manner of processing mentioned in lit. c are the main elements used to evaluate the encroachment on the corresponding fundamental right. In view of the fundamental rights context, they are not exhaustive.
24 If it is not possible to base data processing on a sufficiently precise, detailed legal basis, case law confirms that a particularly strict handling of the proportionality test, for example, can have a certain compensatory effect.
3. substantive legal basis for cases under para. 3
25Para. 3 provides for the possibility of a reduced standard level for the processing of personal data requiring special protection and profiling, provided that two conditions are met cumulatively: The processing is indispensable for a task formally defined by law; and the purpose of the processing does not pose any particular risks to the fundamental rights of the data subject.
26 Due to the constitutional framework, it is again conceivable - even if the examples are likely to be rare - that deviations may arise that are not specifically enumerated by para. 3: For example, the social explosiveness of a topic could lead to the fact that the legal form must nevertheless be required for corresponding data processing; it is therefore the manner of data processing, instead of the purpose mentioned by para. 3, that gives rise to an increase in the norm level.
a. indispensability for a task described in the law (lit. a)
27 With regard to the wording of para. 3 lit. a, it is noticeable compared to the previous version (Art. 17 para. 2 lit. aDSG) that it should no longer be possible to refer to the reduced standard level merely "by way of exception". In the previous version, the position could be taken that it was only a matter of selective exceptional processing of data in situations in which no such processing would normally be necessary to fulfill the corresponding legal task. The current wording clearly deviates from this by dispensing with the requirement that an exceptional situation must exist. Accordingly, it must be assumed that the processing of particularly sensitive personal data and personality profiles on a permanent basis is also possible on an ordinance basis if the two requirements of para. 3 are met.
b. The purpose of the processing does not pose any particular risks to the fundamental rights of the data subject (lit. b).
28 para. 3 lit. b applies to those processing operations that fall into an intermediate category: Although these are types of processing that would typically lead to a serious encroachment on fundamental rights (which is why para. 2 normally requires a formal legal basis for them), in the specific case the purpose of the processing does not pose any particular risks to the fundamental rights of the data subjects. According to the Federal Council's dispatch, this refers in particular to data requiring special protection that is processed in the context of Federal Council, departmental and official business; mentioned are appeal decisions, state liability cases or federal personnel business. In addition, the formal legal basis must sufficiently specify the nature of the tasks for which the processing of personal data is necessary.
29 The wording in para. 3 lit b may be surprising, since it refers only to the "purpose of processing" without including the "manner of data processing" mentioned so far in para. 2 lit c. The wording in para. 3 lit b is not clear. It can be assumed that the legislator primarily wanted to remind people that data processing, which already appears to be sensitive from a fundamental rights point of view due to its purpose, requires a basis in the form of a law in any case, even if the type and manner of processing in the individual case entails few risks of its own.
4. Para. 4: Collection of Exceptions to the Requirements of Paras. 1-3
30 para. 4 exempts three ideal-typical situations (written as alternatives) from the requirement of a legal sentence:
Authorization of processing by the executive branch (in this case, the Federal Council), where authorization must also be based on the requirement that the rights of the data subjects are not likely to be jeopardized (lit. a);
Consent by the data subject in the individual case or the unconditional release of personal data by the same (lit. b) or
The urgent, overriding interest in the form of the protection of the life or physical integrity of the data subject or a third party in a situation that makes it impossible to obtain consent (lit. c).
31 Where para. 3 merely reduces the requirements for the legal basis, para. 4 provides, according to the wording, that no legal principle, neither a law nor a legal principle of a substantive nature, is required for certain cases. Insofar as the requirement of a legal principle is now explicitly waived, this provision is formally the biggest innovation compared to previous versions of the same provision in the FADP. For the circumstances according to lit. a and b, both of which could already be found in the previous version, a welcome clarification is provided; it could not be read with certainty from the wording of the previous standard whether a complete waiver of a legal basis was intended or not.
a. federal council authorization (lit. a)
32 According to lit. a, the Federal Council authorizes processing because it "does not consider the rights of the data subject to be at risk". Whereas the previous version explicitly stated that this authorization was limited to the individual case, this addition is missing in the current wording. According to the dispatch, however, nothing is to change in the norm despite the difference in wording; this is also clear from the context on closer examination. In this context, the authorization is to be seen as a form of decision in contrast to the general-abstract regulation. The latter takes the form of a Federal Council ordinance (Art. 182 para. 1 FC), i.e. a substantive legal basis that is either law-enforcing or law-representing (and in the second case requires authorization by a law). The case of action without a legal statute envisaged by para. 4 lit. a is therefore necessarily conceived for the individual case.
33 To the same extent as in the previous version, the wording according to which the "rights of the person concerned shall not be endangered" appears obscure. This formulation deviates from the wording in para. 3 lit. b, which states that the purpose of the processing "does not pose any particular risks to the fundamental rights of the data subject". Nevertheless, in view of the fact that any data processing by public bodies represents an encroachment on fundamental rights, it must be assumed that the formula used in para. 4 also means the same as in para. 3 lit. b, namely that a minor encroachment on fundamental rights must be assumed.
b. consent (lit. b)
34 In lit. b, consent substitutes the legal basis. In the case of unconditional release of data, consent is presumed; in this case, knowing and willing disclosure by the data subject is required. See on consent in general Art. 6 para. 6 and 7 FADP and on the question of consent as a valid substitute for a legal basis below infra n. 42 ff.
c. police clause under data protection law (lit. c)
35 Lit. c takes aim at the protection of urgent, overriding interests, concretized in the form of the protection of the life or physical integrity of the data subject or a third party. The prerequisite is that it is not possible to obtain the consent of the person concerned within a reasonable period of time, which is the case, for example, if the person is not in a responsive state (coma or similar) or cannot be found. This standard is a case of "police interests" specified under data protection law. In this respect, it fits easily into the scheme of Article 36 para. 1 FC, which exempts "cases of serious, imminent danger that cannot be averted in any other way" from the requirement of a legal basis. Not explicitly written down, but inherent in the nature of the police clause, is the requirement that it must be an individual case, which means, for example, that police or intelligence service data processing in the context of recurring danger situations may not be carried out solely on the basis of para. 4 lit. c.
5. casuistry on the intensity of intervention and on the requirements of the norm
36 According to Art. 17 para. 2 aDSG, the processing of administrative assistance data relating to business relationships or bank details does not require a basis in law. The encroachment on constitutional rights in connection with the data to be collected in the case of administrative assistance does not, as a rule, weigh particularly heavily here, so that the requirements for the definiteness of the norm are also "not excessively high" (BGE 148 II 349 E. 5.3.3-5.3.4).
37 The legal basis that provides for the use of radio water meters by the municipal water supply must explicitly provide that the recorded hourly values are stored on the water meter for X days and sent out by radio at regular intervals (BGE 147 I 346 E. 5.4.1).
38 If, in addition to the license plate and thus the identity of the owner, the time, location, direction of travel and identity of other vehicle occupants are also obtained during the automated vehicle search, this data processing is within the scope of a "conventional determination of identity", which does not yet constitute a serious encroachment on fundamental rights. However, this changes significantly with the merging and automatic comparison of this data with other data records (there is talk of "serial and simultaneous processing of large and complex data records within fractions of a second") and the subsequent use by the authorities; the intensity of the interference increases "considerably", among other things because of the danger that persons may be wrongly suspected (BGE 146 I 11 E. 3.2).
39 The entry in a watchlist maintained by FINMA, which serves as a preliminary stage to possible restrictions on gainful employment in the area of the financial market and, in sum, leads to an actual personality profile, constitutes a serious encroachment on Article 13 para. 2 FC and requires a basis in the form of law (BGE 143 I 253 E. 4).
40 If a police law places the technical surveillance of generally accessible places under the catchphrase of "safeguarding public order and security", this statement of purpose is insufficient and, in particular, does not allow the legal basis to be examined for its proportionality (in particular, the relationship between the ends and the means). (BGE 136 I 87 E. 8.3-8.4).
41 The sufficient definiteness of a norm can also result from the network of applicable norms: If it is objected that Art. 91 para. 5 SchKG has an insufficient density of norms for the disclosure of data containing personal data and/or personality profiles that are particularly worthy of protection, this must be countered by the fact that the provision is only applied within the framework of the execution of the attachment. Thus, the purpose and scope of the data processing are defined sufficiently precisely. (BGE 124 III 170 E. 3a)).
6. excursus: consent "in individual cases" (para. 4 lit. b)
42 In public data protection law, it is often not clear to what extent consent can replace the legal basis. The question of consent arises particularly acutely where serious encroachments on fundamental rights positions are involved; the focus here is on the waiver of fundamental rights or consent to particularly serious encroachments on fundamental rights. At the other end of the spectrum of interference, however, there may be just as many question marks, for example when it comes to the sending of a newsletter by a public authority or the obtaining of a reference in a recruitment procedure. Art. 34 FADP provides under para. 4 lit. b for consent as a substitute for the rule of law, and the same applies to Art. 36 para. 2 lit. b FADP with respect to the disclosure of personal data. In both cases, consent is linked to the individual case, but is otherwise not subject to the condition that the facts of the case are of little or no danger. In contrast to consent in private data protection law (see Art. 6 para. 6 and 7 FADP), it is not sufficient in public law for consent to be voluntary and informed. In addition, consent must be suitable in the specific case to take over the functions of the principle of legality at play. Beyond these substantive requirements, consent in public law is not bound by any form.
43 The Federal Supreme Court and doctrine agree that the principle of legality fulfills two types of functions. On the one hand, it pursues democratic concerns; these include securing the supremacy of the will of the people on the one hand and the separation of powers on the other. On the other hand, it fulfills the functions of the rule of law; in this context, it ensures the protection of the individual against arbitrary action by the state, equal treatment and the predictability of state action.
44 Under certain conditions, consent can certainly replace the constitutional functions of protection against arbitrariness and predictability of state action. For this to be the case, the scope of the consent must be recognizable at the time it is given, and the context must be one in which the voluntary nature of the consent can be assumed in good faith.
45 However, a first restriction arises from the constitutional function of equal treatment: as soon as it is a matter of granting rights or imposing duties, consent can only be operationalized as a substitute for a legal principle if only individual persons are affected. Where democratic concerns are in the foreground, consent is no longer able to provide any functional compensation.
46 Accordingly, depending on the facts of the case, it must be examined, with recourse to the concerns of the principle of legality and the criteria for the requirement of legal form (see supra nos. 9-10), whether a waiver of a legal basis and reliance on consent can be justified.
47 For data processing by federal bodies, Art. 34 para. 4 lit. b FADP delimits admissibility by limiting consent to the individual case. In view of what has been said, it can be assumed that the number of situations must be very limited, both in terms of subject matter and time, and furthermore for the introduction of rights and obligations also in personal terms.
48 Therefore, despite the schematic specification of the FADP with regard to encroachments on fundamental rights, the question can ultimately only be answered reliably in concrete terms, taking into account the concerns at issue. For example, the aforementioned newsletter of an authority can be sent on the basis of consent even in the case of a very large number of recipients and also with an unlimited periodicity, whereas the use of facial recognition systems even in an area that is narrowly defined in terms of location, time and personnel is unlikely to be permissible on the basis of consent in individual cases due to the intensity of the encroachment on the fundamental rights of the persons concerned and the social explosiveness of the technology used.
Bibliography
Ballenegger Sarah, Kommentierung zu Art. 17 DSG, in: Maurer-Lambrou Urs/Blechta Gabor-Paul (Hrsg.), Datenschutzgesetz/Öffentlichkeitsgesetz, 3. Aufl., Basel 2014.
Dubey Jacques, Kommentierung zu Art. 5 BV, in: Martenet Vincent/Dubey Jacques (Hrsg.), Commentaire romand Constitution fédérale, Basel 2021.
Epiney Astrid/Posse Samah, Kommentierung zu Art. 34 DSG, in: Meier Philippe/Métille Sylvain (Hrsg.), Commentaire romand, Loi sur la protection des données, Basel 2023 (Publikation zum Zeitpunkt der Abgabe der vorliegenden Kommentierung bevorstehend).
Epiney Astrid, Staatliche Überwachung versus Rechtsstaat: Wege aus dem Dilemma?, AJP 2016, S. 1503-1515.
Häfelin Ulrich/Müller Georg/Uhlmann Felix, Allgemeines Verwaltungsrecht, 8. Aufl. Zürich/St. Gallen 2020.
Häner Isabelle, Die Einwilligung der betroffenen Person als Surrogat der gesetzlichen Grundlage bei individuell-konkreten Staatshandlungen, ZBl 103 (2002), S. 57-76.
Mund Claudia, Kommentierung zu Art. 34 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Datenschutzgesetz, Stämpflis Handkommentar, 2. Aufl., Bern 2023.
Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008.
Tschannen Pierre, Staatsrecht der Schweizerischen Eidgenossenschaft, 5. Aufl. Bern 2021.
Tschannen Pierre/Müller Markus/Kern Markus, Allgemeines Verwaltungsrecht, 5. Aufl. Bern 2022.
Waldmann Bernhard/Bickel Jürg, Datenbearbeitung durch Bundesorgane, in: Belser Eva Maria/Epiney Astrid/Waldmann Bernhard (Hrsg.), Datenschutzrecht, Grundlagen und öffentliches Recht, Bern 2011, S. 639-764.
Waldmann Bernhard/Oeschger Magnus, Datenbearbeitung durch kantonale Organe, in: Belser Eva Maria/Epiney Astrid/Waldmann Bernhard (Hrsg.), Datenschutzrecht, Grundlagen und öffentliches Recht, Bern 2011, S. 765-894.
Wyss Martin Philipp, Öffentliche Interessen – Interessen der Öffentlichkeit?, Bern 2001.
Materials
Bundesamt für Justiz, Gesetzgebungsleitfaden, Leitfaden für die Ausarbeitung von Erlassen des Bundes, 4. Aufl. 2019, abrufbar unter https://www.bj.admin.ch/bj/de/home/staat/legistik/hauptinstrumente.html, besucht am 21.2.2023 (zit. Gesetzgebungsleitfaden).
Botschaft zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz vom 15.9.2017, BBl 2017 S. 6941 ff., abrufbar https://www.fedlex.admin.ch/eli/fga/2017/2057/de, besucht am 31.3.2023 (zit. Botschaft 2017).
Botschaft zum Bundesgesetz über den Datenschutz (DSG) vom 23.3.1988, BBl 1988 II S. 413 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/1988/2_413_421_353/de, besucht am 31.3.2023 (zit. Botschaft 1988).