Data protection is an area of law that is evolving rapidly. In the European Union (“EU”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”) was implemented on 25 May 2018. Switzerland is currently in the process of revising its Federal Act on Data Protection (“FADP”). Both texts introduce new provisions to regulate data processing, especially in light of the ongoing technological developments. Indeed, profiling and automated decision-making are used in an increasing number of sectors, both private and public. On the one hand, they allow the tailoring of services and products to align with each individual’s needs. On the other hand, these processes are often opaque, and individuals might not be aware that they are being profiled or understand what it involves.
This newsletter aims to give an overview of the specific provisions that enter into account when processing personal data, under Swiss law –with guidance from GDPR and Working parties-, and to give a critical analysis of the limits of such provisions.
The notion of profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular to analyse or predict elements of such person’s behaviour, interests, preferences, economic situation, etc.Profiling is often used to make predictions about people, using data from various sources to infer something about an individual, based on the qualities of others who appear statistically similar.
Automated decision-making refers to the ability to make decisions by technological means, without human involvement. Automated decisions can result from profiling. Furthermore, for the specific provision of art. 22 GDPR/art. 19 P-FADP to be applicable, automated decision-making (including by profiling) should produce legal effects concerning the data subject or similarly significantly affect him or her.
A legal effect requires that the decision affects the person’s legal rights, such as the freedom to associate with others (for instance through the conclusion or cancellation of a contract), vote in an election, etc. If a decision-making process does not have an effect on people’s legal rights, it could still fall within the scope of art. 22 GDPR/art. 19 P-FADP if it produces an effect that is equivalent or similarly significant in its impact. The law does not set the threshold for the degree of the impact that is required, which should be assessed on a case-by-case basis, but taking into consideration the following elements: