27th January 2010

On October 14th, 2009 Google rejected large parts of the recommendation of the Federal Data Protection and Information Commissioner (FDPIC) regarding Street View. Google only agreed to refrain from posting additional pictures until the end of 2009.

As a consequence, on November 11th, 2009 the FDPIC filed an action against Google before the Federal Administrative Court. The FDPIC’s claims are basically identical to its recommendation. It contends that Google must ensure that:

• faces and licence plates are made completely unrecognizable before pictures are placed online;
• the anonymity of individuals in sensitive areas is guaranteed;
• no pictures are taken of private areas (courtyards, etc.) and that pictures of such areas which have already been placed online are taken down;
• pictures taken from a private street are taken down unless consent was obtained for taking such pictures;
• Google must give at least one week's advance notice of where (towns, villages) it will take pictures in the following week;
• Before placing pictures of towns and villages online, Google must give at least one week's advance notice as to which towns and villages it will place online.

In addition, as preliminary measures, the FDPIC has asked the court to enjoin Google from placing online pictures taken in Switzerland until the judgment has become final and to enjoin Google from taking additional pictures in Switzerland until further notice.

On December 16th, 2009, the FDPIC and Google reached an agreement in relation with the preliminary measures requested by the FDPIC. The agreement includes the following points:

• Google will refrain from placing any further pictures taken in Switzerland for Street View online until the judgment of the Federal Administrative Court has become final and binding;
• Google has agreed to accept a final and binding judgment of the Federal Administrative Court;
• Google is entitled to continue to take pictures in Switzerland, but may use them only for internal, non-person-related processing and may not place them online until the judgment in its favour has become final and binding;
• Google will give at least one week's advance notice of where (districts, surrounding areas of towns) it will take pictures in the following week;
• The FDPIC has agreed to withdraw its requests for injunctions;
• The agreement has no other effect on the pending main proceedings.

The judgment of the Federal Administrative Court in this matter is not expected to be rendered for several months.

2nd October 2009

As in other countries, Google launched its Google Street View service in Switzerland in August 2009. This service allows an online virtual tour of parts of Switzerland. In order to create this service, Google has used specially equipped vehicles to take pictures of specific streets or houses and approximately 20 million pictures are now online. Google uses software which automatically blurs faces and licence plates of vehicles in order to render them unrecognizable before putting them online. Because this process is not 100% effective, faces and licence plates which are still recognizable can be notified to Google or the removal of the pictures can be requested.

The Federal Data Protection and Information Commissioner (FDPIC) opened an investigation on whether this service breaches the privacy of persons in Switzerland and on 11 September 2009 it issued a recommendation to Google.

The recommendation is published on the website of the FDPIC (http://www.edoeb.admin.ch/dokumentation/00445/00508/index.html?lang=de; only in German). In essence, the FDPIC found that the processing of personal data by Google violates the principle of proportionality set out in art. 4 para. 2 of the Swiss Data Protection Act because not all of the faces and licence plates are blurred when the images are first placed online and a request for the faces and license plates to be blurred or for the removal of the pictures after the fact is not sufficient in this respect. In addition, the FDPIC points out that blurring the faces and licence plates does not under all circumstances make it impossible for the person concerned to be recognized and that the potential identification of a person connected to a “sensitive sector” (hospitals, courts, prisons, red light districts, etc.) makes the breach of the personality rights of the person concerned more severe. The FDPIC also held that Google's use of a camera from a height of approximately 2.75 meters above the ground sometimes resulted in photographs of the inside of private courtyards which are screened from view by an ordinary passerby and that some of the pictures have also been taken on private streets. The FDPIC also considers these situations to constitute breaches of the personality rights of the persons concerned.

The FDPIC opined that no justifications for the aforementioned breaches exist and therefore Google's Street View service constitutes an unlawful breach of the personality rights of the persons concerned and issued the following recommendation to Google:

a)	Google Inc. shall refrain until further notice from placing new pictures taken in Switzerland on Street View online;
b)	Google Inc. shall provide a better system for rendering faces and licence plates completely unrecognizable in pictures that are already online;
c)	Google Inc. shall ensure the anonymity of persons connected to “sensitive sectors”;
d)	Google Inc. shall ensure that pictures which show the inside of private, enclosed courtyards which cannot be seen by an ordinary passerby are either not taken at all or removed. Google shall in the future use the camera in a way that no photographs of protected private areas are possible;
e)	Pictures which have been made from private streets have to be removed unless consent has been given;
f)	Google Inc. shall give notice at least one week in advance of the locations where it will take pictures in the following week;
g)	Google Inc. shall give notice one week in advance of the locations that will be placed online.

The FDPIC set a time limit of 30 days to Google Inc. to notify the FDPIC whether it accepts or rejects the recommendation. If Google Inc. rejects the recommendation or if it is not followed, the FDPIC may refer the matter to the Federal Administrative Court for a decision. The decision of the Federal Administrative Court could be appealed by the FDPIC or Google Inc. to the Federal Supreme Court for final decision.

17th February 2009

Personal data may only be disclosed or transferred from Switzerland to a recipient in the U.S.A. if an exception specified by Art. 6 para. 2 of the Swiss Data Protection Act (DPA) applies because neither U.S. federal law nor the laws of any U.S. state are considered under Swiss law to guarantee an adequate level of data protection. If none of the other exceptions set out in Art. 6 para. 2 DPA are available, the data exporter needs to enter into a specific cross-border data transfer agreement with the recipient in the U.S.A. and notify the Federal Data Protection and Information Officer about it. These requirements are cumbersome and have often been disregarded despite the risk of sanctions.

In December 2008, the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner completed negotiations for a U.S.-Swiss Safe Harbor Framework. This framework is based on the EU-U.S. Safe Harbor Framework and aims to facilitate transfers of personal data from Switzerland to recipients in the U.S.A.

The U.S.-Swiss Safe Harbor Framework entered into force on the 16th of February 2009.

If a recipient based in the U.S.A. has certified its adherence to the U.S.-Swiss Safe Harbor Framework to the U.S. Department of Commerce, personal data concerning natural persons that is covered by the certification may be disclosed or transferred to it from Switzerland even if none of the exceptions set out in Art. 6 para. 2 DPA are met. In fact, the certification of adherence to the U.S.-Swiss Safe Harbor Framework creates an adequate level of data protection with respect to such recipient and the personal data covered by its certification.

Adherence to the U.S.-Swiss Safe Harbor Framework is not compulsory, but it greatly facilitates the transfer of personal data from Switzerland to the U.S.A. This is particularly true if the recipient in the U.S.A. has already certified its adherence to the EU-U.S. Safe Harbor Privacy Principles.

The U.S.-Swiss Safe Harbor Framework is limited in scope. It covers only the transfer of personal data concerning natural persons (and not legal entities). In addition, certain types of data or methods of data processing might not be included in a particular certification. Even if a recipient has given a certification under the U.S.-Swiss Safe Harbor Framework, it is important to ensure that the personal data to be transferred are actually covered by the certification. If the data are not covered, it might still be necessary to enter into a specific cross-border transfer agreement and inform the Federal Data Protection and Information Commissioner before the transfer is made or access to the data is provided.