Online sales have expanded drastically over the last decade. In Switzerland, it is estimated that 90% of regular internet users have shopped online at least once[1]. In light of this societal evolution, governments and legislators have needed to adapt and legislate. The European Union has adopted specific legislation, whereas the Swiss legal framework applicable to online trade is contained across a number of different, existing acts.
While there is a global increase in the protection of privacy and personal data, consumers continue to increase their purchases of goods and services online. This involves at least the communication of the individual’s name, address, email and banking details.
This newsletter aims to provide a brief overview of the data protection aspects of online trade in Switzerland, with specific comparisons to the EU directives and regulations that are in place in the same field.
ONLINE SALES: GENERAL CONSIDERATIONS
Online sales, or electronic trade, refers to “any transaction involving goods or services where digital electronic communication performs an essential function”[2].
The legal framework of electronic trade varies between the EU and Switzerland[3].
In the EU, there are several directives specific to online trade; the most important of which are Directive 2000/31/EU on online trade and Directive 2011/83/EU on consumers’ rights.
In addition, the General Data Protection Regulation (“GDPR”) applies to all aspects of personal data collection and processing.
On the other hand, in Switzerland, there is no specific legislation for online trade. It is indeed considered that the Code of Obligations (“CO”), the Federal Act on Data Protection (“FADP”), the Federal Act against Unfair Competition (“LCD”) and the Federal Act on Consumer Information suffice to provide a framework for both suppliers and to protect consumers.
DATA PROTECTION IN SWITZERLAND AND IN THE EU
Over the past years, there has been a development and densification of data protection legislation, both on the Swiss and the European Union levels.
Switzerland
The FADP aims to protect the privacy and the fundamental rights of persons when their personal data is processed (art. 1 FADP)[4].
The FADP is applicable to all personal data – that is, the information related to an identified or identifiable person – whether they are processed by a private person or by the State. A person is identifiable as soon as, through an indirect correlation of information, it is possible to identify them using the available technological tools[5]. A particularity of the current FADP is that it applies to personal data relating to both natural and legal persons (art. 2 and art. 3 lit. b FADP)[6].
Thus, an e-commerce website based in Switzerland is subject to the FADP as soon as personal data is collected about customers[7]. This includes one’s name, address and payment information – which are always collected for online sales.
Any processing of such information that contravenes the principles of the FADP (set out in art. 4, art. 5 al. 1 and art. 7 al. 1 FADP), that is contrary to the express will of the person or which, apart from limited circumstances, results in a communication of sensitive data or of a personality profile, constitutes an infringement of the subject’s personality[8].
Ensuring security of personal data is one of the core aspects and principles of data protection under the FADP and its ordinance[9], notwithstanding that neither instruments contain any particular technical requirements. This is because the FADP and its ordinance underline goals to reach through measures that must be taken in relation to each case at hand (art. 8 of the ordinance).
As of today, the FADP contains, in particular, the following provisions[11]:
Personal data must be processed only for the purpose indicated at the time of collection. This is to respect the proportionality principle of art. 4 al. 2 FADP, according to which the processing must be carried out in good faith and must be proportionate; that is to say, adequate, pertinent and not excessive. According to this principle, one must not collect and process personal data that is not objectively necessary to reach the pursued goal[12]. A constant balance of interests between the aim of the data treatment and the infringement to the personality is required.
This information must not be disclosed abroad if it endangers the privacy of the data subject (art. 6 al. 1 FADP). It may only be forwarded outside Swiss borders in limited circumstances and depending on to which country the transfer occurs (art. 6 al. 2 FADP).
Personal data must be protected against any processing that is not authorised by the appropriate technical and organisational measures (art. 7 FADP and art. 8 onwards of the ordinance).
The implementation of a privacy policy should form part of the general terms and conditions afferent to the treatment of personal data[13]. It must comply with the FADP principles. Any website visitor must be informed that their personal data is being collected (through cookies, logs, digital impression, etc.), of how such personal data is processed, by whom and what is to be done with the personal data[14]. Indeed, art. 4 al. 3 FADP requires that personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law.
The more the terms of the privacy policy differ from what is usual, the more the attention of the consumer should be drawn to these elements[15]. In any case, should litigation ensue in respect of data processing, it is the responsibility of the person responsible for the website to prove that the user had knowledge of the privacy policy[16].
The FADP is in the process of being amended in order to comply with the requirements of the GDPR applying in the EU. The revision has been divided into two stages. The first part aims at complying with the EU directive 2016/680 relating to the data protection in criminal matters. The relevant law (Federal Act on data protection in connection with the application of the Schengen action plan in criminal matters, or the LPDS) entered into force on 1 March 2019. The second part will focus on the total amendment of the law, in light of the requirements set down in the GDPR. Its entry into force is planned for 2020. The compliance of the FADP with the GDPR is paramount for Switzerland to keep its attractiveness and to be considered a foreign state which offers sufficient protection according to the EU standards[17].
European Union
In the EU, the GDPR entered into force in May 2018. Any company that interacts with clients in the EU must comply (art. 3 GDPR). In other words, any Swiss entity that has clients or targets persons in the EU must comply with the GDPR in respect of those persons’ personal data.
The main principles of the GDPR are stated at art. 5 GDPR and are as follows:
lawfulness;
fairness and transparency;
purpose limitation;
data minimisation;
trueness and accuracy;
storage limitation; and
integrity and confidentiality.
According to the GDPR and subject to specific exceptions, personal data should only be processed on the basis of the consent of the data subject concerned (art. 4 al. 11 and art. 7 GDPR). This consent must be freely given, specific, informed, unambiguous and revocable[18].
In order to be freely given, consent to data processing must not be a condition to using the service.
Specific consent means that it only covers one type of personal data Thus, if a service provider wishes to store personal data for both marketing and verification purposes, consent must be obtained for both purposes (art. 7 al. 2 GDPR).
Consent is “informed” when the data subject knows the identity of the data processor, what processing activities will be conducted, the purpose of the data processing and that they can withdraw consent to such data processing at any time. Such information must be given to the data subject in an intelligible and easily accessible form (art. 7 al. 2 GDPR).
The use of pre-ticked boxes, silence or inactivity from the data subject do not constitute unambiguous consent (recital 32 of the GDPR).
CLOSE-UP ON WEBTRACKING THROUGH COOKIES
Consent must be freely given
Both the FADP and the GDPR emphasise that the consent of the data subject should be freely given and that it must not be a condition to using the service. This means that the data subject should not be cornered into agreeing to the processing of use their data: “consent is presumed not to be freely given if (…) the provision of a service is dependent on the consent despite such consent not being necessary for such performance” (recital 43 GDPR).
Thus, in the specific case of cookies, the data subject who refuses to consent must still be able to continue using the service, i.e. the website.
Necessary to provide the service?
Art. 6 al. 1 GDPR underlines the cases in which data collection is necessary and lawful. This includes the case when the personal data is required to provide the service (ie. credit card information to process a transaction or a mailing address to ship a product[19]).
Art. 5 al. 3 of the 2002/58/CE directive is applicable to cookies. This article applies to any information that a website causes to be stored in a user’s browser. It specifies that the user must give their consent to the use of their information (opt-in regime). However, this does not prevent “any technical storage or access” necessary to provide the service explicitly requested by the user in an effective way.
Under current Swiss law, there is no specific provision on cookies. However, the data subject must be informed that their personal data is being collected (art. 4 al. 4 FADP). The collection of personal data through webtracking must then be approved by the data subject[20]. In respect of usual personal data, such as the IP address, consent can be deduced from the person’s behaviour. However, for more personal data, explicit approval is required, for instance by ticking a box.
It is important to note that the GDPR applies to all Swiss websites where persons in the EU are targeted. Thus, the use of cookies must comply with the GDPR and the 2002/58/CE directive.
ONLINE SALES : CO AND LCD PERSPECTIVE
CO: No specific regulation for the conclusion of a contract online
A consumer contract is, in general terms, an agreement by which a consumer acquires goods or services to private or public ends or in respect of a professional, commercial, industrial or independent activity. It can be concluded online. Under Swiss law, a consumer contract is concluded as soon as there is a mutual expression of intent by the parties (art. 1 CO). The actual payment is, in principle, not a condition to the conclusion of the contract[23].
LCD and consumer information: Transparency is key
The Swiss legislative framework is relatively permissive regarding the content of the terms and conditions of online sellers. Indeed, regarding consumer information, the LCD only indicates that there must not be an unjustified and significant disconnect between the rights and obligations in the contract (art. 8 LCD). In the same vein, all unusual clauses (clauses insolites)[24] must be outlined as to draw the consumer’s attention to same, before the consumer accepts the terms and conditions.
In the case of a website offering goods and services through online trade, the name, address and e-mail address of the person or entity responsible for the website must be disclosed[25].
Furthermore, art. 3 al. 1 lit. s LCD outlines four compulsory consumer-information obligations of e-commerce providers:
Clear indication of the responsible person or entity’s identity, in particular by providing a name and address and a valid contact email address.
Clear indication of the steps leading to the conclusion of the contract, thus allowing the consumer to know the exact moment that the agreement is concluded[26].
Putting into place tools to detect data-entry The consumer must have the technical ability to modify some elements of their order[27].
Confirmation of the order without delay. This confirmation must be sent to the buyer’s email address[28].
Should these conditions not be fulfilled, the offer of the online provider is unlawful and the contract is invalid[29].
It appears that the LCD focuses on the contract in itself and on the lawfulness of the parties’ reciprocal obligations. The consumer must be informed of the steps leading to the conclusion of the contract. However, one must refer to the FADP and the GDPR if the website is accessible from the EU, to know the obligations of the website relating to the treatment of the data required to conclude the contract online.
FINAL CONSIDERATIONS
Taking into consideration the above elements, the Swiss administration strongly advises online traders to adopt the following practices[30]:
Provide a data protection declaration or privacy policy on the e-commerce website. This declaration or policy should be used to communicate the methods put in place to protect user privacy. Such document should be displayed in an easily accessible part of the website. The consumer should agree to the terms of such before any personal data is collected.
Implement user authentication techniques and data encryption.
Only ask customers for essential information.
Clearly indicate the personal data used and the purpose.
Give the user the right to limit the use made of their data and with whom it is shared.
Finally, it is important to note that the administrator of a website will, in most cases, need to comply with the obligations of foreign laws if the website is available from abroad or if it offers delivery to third countries[31].
Footnote References:
[1] Ecommerce News Europe, Ecommerce in Switzerland, https://ecommercenews.eu/ecommerce-in-europe/ecommerce-switzerland/ (30.04.2019).
[2] Todd , E-commerce Law, p. 3, in Werro Franz/Carron Maxence, Commentaire romand de la loi contre la concurrence déloyale (Martenet Vincent/Pichonnaz Pascal, édit.), art. 3 al. 1 let. s. N. 2.
[3] Hohenauer Fabien, Le commerce en ligne – un tour d’horizon des règles applicables en Suisse, in Expert Focus (2017/11), p. 873.
[4] Métille, p. 77.
[5] Métille Sylvain, Internet et droit, Genève, Zurich, Bâle (Schulthess) 2017, p. 79.
[6] Métille, p. 79. When the Draft FADP enters into force, only the personal data of individuals will be protected.
[7]Swiss confederation SME Portal, Swiss and European e-commerce laws, https://www.kmu.admin.ch/kmu/en/home/concrete-know-how/sme-management/e-commerce/creating-own-website/statutory-obligations-in-switzerland-and-the-eu%20.html (17.04.2019).
[8] Métille, p. 87.
[9] Ordinance to the Federal Act on Data Protection; RS 235.11.
[10] Métille, p. 78.
[11] Swiss confederation SME Portal, Data protection, https://www.kmu.admin.ch/kmu/en/home/concrete-know-how/sme-management/e-commerce/creating-own-website/business-site-data-protection.html (17.04.2019).
[12] Métille, p. 84.
[13] Métille, p. 123.
[14] Métille, p. 123.
[15] Métille, p. 124.
[16] Métille, p. 124.
[17] Federal Council, FF 2017 6593.
[18] Wolford Ben, What are the GDPR consent requirements? https://gdpr.eu/gdpr-consent-requirements/ (17.04.2019).
[19] Wolford Ben, What are the GDPR consent requirements? https://gdpr.eu/gdpr-consent-requirements/ (17.04.2019).
[20] Préposé fédéral à la protection des données et à la transparence, explications concernant le webtracking, https://web.archive.org/web/20160321013141/http://www.edoeb.admin.ch:80/datenschutz/00683/01103/01104/index.html?lang=fr (30.04.2019).
[21] Hug Dario, in 3e Journée des droits de la consommation et de la distribution – Blockchain et Smart Contracts – Défis juridiques (Carron Blaise/Müller Cristoph, édit.), p. 135.
[22] Hohenauer, p. 874.
[23] Hohenauer, p. 874.
[24] A contract clause that is unusual in the given type of contract, from the point of view of the consumer.
[25] Métille, p. 119.
[26] Werro/Carron, art. 3 al. 1 let. s N 31.
[27] Werro/Carron, art. 3 al. 1 let. s N 34.
[28] Werro/Carron, art. 3 al. 1 let. s N. 37.
[29]Werro/Carron, art. 3 al. 1 let. s N. 38 and references mentioned.
[30] Swiss confederation SME Portal, Data protection, https://www.kmu.admin.ch/kmu/en/home/concrete-know-how/sme-management/e-commerce/creating-own-website/business-site-data-protection.html (17.04.2019).
[31] Métille, p. 119.
Florencia Lorca Weyer
Related publications
