The purpose of the right of access is to enable or facilitate the exercise of other individual rights under Swiss or European data protection laws. At the same time, the right of access may adversely affect the rights and freedoms of others, including the right to protection of privileged information. I held a workshop at the bi-annual Lawyers' Congress of the Swiss Bar Association in Lucerne last week. The session discussed the right of access from the viewpoint of lawyers and their clients.
Balancing privacy and confidentiality interests
Exemptions provided in Swiss and European data protection laws allow lawyers (or the law firm as the controller of the personal data undergoing processing) to balance conflicting interests. In particular, the right of direct access to personal data undergoing processing may adversely affect the individual data protection rights of others, the privacy and confidentiality interests of clients as well as the confidentiality of business secrets or confidential know-how or intellectual property of clients, attorneys or third parties.
In addition, the protection of the confidentiality of the attorney–client communication (and of attorneys' work products) serves the public interest in safeguarding the legal system and access to courts. Granting data subjects direct access to documents that include the personal data undergoing processing (or providing information about the relevant processing) may impair the exercise or judicial enforcement of legal claims or interfere with an effective defense of the client.
Privileged information is exempt from the right of access
- Protection of the rights and freedoms of others
Article 9(1)(b) of the Swiss Federal Data Protection Act (SDPA) provides that controllers may deny, limit or defer access to personal data undergoing processing if prevailing interests of third parties (including other data subjects) so require. Further, under limited circumstances, Article 9(4) SDPA allows controllers to deny, limit or defer access if and to the extent required to protect their own prevailing interests. Similarly, Article 15(4) of the EU General Data Protection Regulation (GDPR) provides that controllers may limit the right to receive a copy of personal data undergoing processing if and to the extent this is required to protect the rights and freedoms of others.
These provisions in Swiss and EU data protection laws safeguard the privacy and confidentiality interests of other data subjects as well as confidentiality interests (including trade secrets and confidential intellectual property, cf. Recital 63 of the GDPR) of other third parties. However, unlike Article 9(1) and (4) SDPA, Article 15(4) GDPR only limits the right to receive a copy of the personal data undergoing processing – as provided in Article 15(3) GDPR – but not the right to receive further information about the processing in accordance with Art. 15(1) GDPR (at least if one follows the convincing yet contested view that the right to receive a copy undergoing processing is an independent remedy).
- Protection of the confidentiality of attorney–client communication
Swiss law protects the confidentiality of attorney–client communication under Article 321 of the Swiss Criminal Code and Article 13 of the Swiss Federal Act on the Free Movement of Lawyers. Within the scope of these provisions, lawyers (or their law firms as controllers) may deny, limit or defer access to personal data undergoing processing. This follows from Article 9(1)(a) SDPA, which allows controllers to deny, limit or defer access if and to the extent Swiss (statutory) law so provides.
Article 14(5)(d) GDPR exempts information from the obligation to provide information about the collection and processing of personal data (when the data is first collected or obtained) where the personal data must remain confidential subject to a statutory obligation (in EU/EEA or Member State laws) of professional secrecy. It would make little sense if the legislator indeed intended to exempt privileged information under Article 14, but not under Article 15 of the GDPR. Rather, it seems that this exemption was inadvertently omitted in Article 15 GDPR when drafting exemptions to the right of access. This justifies applying Article 14(5)(d) GDPR by analogy to the right of access (or to receive a copy) under Article 15 GDPR.
Understandably, a number of Member States did not want to rely solely on Article 15(4) GDPR or (by analogy) Article 14(5)(d) GDPR to safeguard professional secrecy obligations (including the legal privilege) provided in national laws. They used their authority under the opening clauses Article 23(1)(f) and (i)–(j) GDPR to limit the scope of Article 15 GDPR. For example, both the German Federal Data Protection Act (GDPA) and the Irish Data Protection Act 2018 (IDPA) provide safeguards (a) for the legal privilege protected under national laws (cf. § 162(a)(i)–(iii) IDPA and § 29(1) GDPA), and (b) for the establishment, exercise or defense of legal claims (cf. § 60(3)(a)(iv)–(vi) IDPA and § 34(1)(1) in conj. with § 33(1)(2)(a) GDPA).
Clarification of exemptions provided in the Swiss Data Protection Act
After much delay due to lengthy discussions of the details, the Parliamentary subcommittee preparing the draft expects that the Swiss National Council will finally be able to discuss a draft of the revised SDPA in its fall session this year. The Swiss Federal Parliament, much like the German and Irish legislators, should seize this opportunity to regulate more concretely the relationship between the individuals' rights under the SDPA and the statutory obligations of professional secrecy.
The Swiss Bar Association submitted comments on the 2016 and 2017 drafts of a revised SDPA, and suggested improvements in order to safeguard privileged information, in particular in the context of investigations by the Swiss Federal Data Protection and Information Commissioner and with regard to the right of access.
As regards the right of access, the Parliament should include an exemption allowing controllers to deny, limit or defer access or information if and to the extent this is required to comply with their respective statutory secrecy obligations. The Parliament should clarify that this means to include the obligation to keep attorney–client communication and attorney work products confidential as well as secrecy obligations of members of other professions (e.g. physicians).
Thomas Steiner is a member of the Data Protection Expert Commission of the Swiss Bar Association. The views expressed in this article are his own. He will be happy to answer your questions regarding this article or other data and privacy law issues.