At least in Switzerland, doctors cannot invoke the medical privilege if they are being prosecuted themselves.  This rule, however, is based on the assumption that a patient is the victim and thus happy to waive his or her right to confidentiality.  Yet, doping is structurally different from that: like corruption, doping does not involve a direct victim, and it necessarily requires the clandestine collaboration of two actors–official and individual in the first case, doctor and athlete in the second.

The common legal doctrine on the medical privilege in Switzerland seems unfit to cope with this situation:  in an investigation against an athlete, his or her physician may (and in some cantons even has to) refuse to testify or to submit documents.  In an investigation against the doctor himself, most relevant documents–and arguably those that deliver a “smoking gun” to the prosecution–relate to the doctor’s “patient”, the athlete, and may therefore not be used either.  Arguing that the doctor did not learn the relevant facts (and create the documents) in connection with his profession won’t be convincing because the treatment of athletes, even if it involves performance-enhancing substances, can hardly be considered as non-medical.

Taken together, this would make prosecutions for doping virtually impossible. If one does not want to accept this, one could insert a clause into the anti-doping statute that lifts the medical privilege with respect to the relationship between the doctor and the athlete.  This would be a rather strong shift of the balance between the interest in effective criminal prosecution and privacy.  Is this shift justified given the fact that doping isn’t a very serious crime?

The medical privilege is based on the fundamental importance of the ability of individuals to seek medical treatment if they need it, without having to fear that they could end in prison because of what the doctor learns from the consultation.  In cases of doping, however, the doctor-patient relationship is (in most cases) an integral part of the criminal activity, like in the case of corruption, as I mentioned.  Where the relationship itself is a problem, the invocation of the duty of confidence in the dress of the medical privilege would amount to an abuse of rights. (Thought strongly inspired by the work f J.N. Druey, of course!) 

For the same reasons, a possible argument that the medical privilege is upheld even for the most serious crimes, and that the state is willing to take the risk of having to acquit a guilty person for lack of evidence because the privilege is upheld, isn’t very strong: One could say that just because the seriousness of the crime and the evidentiary problems are irrelevant, the fact that doping is less serious a crime should be irrelevant, too.  Plus, the state takes the evidentiary risks posed by the medical privilege for the benefit of the health of individuals.  It doesn’t have to take them if a given medical treatment is not intended to cure or alleviate a disease or an injury at all.

Therefore, I think lifting the medical privilege in doping cases is justified, even under the law as it stands.  In order to avoid costly litigation over this question, however, I would opt for a statutory exception to the privilege.

Urs: “The internet has a memory like an elephant.”

Yep.

My previous concerns about biometrical web search tools can be read here.

And, according to the same author, Pluto’s downgrading is still contested.

So here’s an attempt for a synthesis:

• If a company has a sound information security policy, and has taken the necessary steps to enforce it, self-erasing paper creates an additional security risk, which can be tackled without difficulty, given the company’s information security culture.

• If information security isn’t a big issue for the management of a company (i.e. if a company has a bad management), self-erasing paper might well lower the company’s risk exposure.

To conclude, this isn’t just a question of whether the glass is half-full or half-empty, but self-erasing paper adds to the complexity of corporate information management, but — luckily — not in a way that is necessarily detrimental for those who are unable to manage that complexity.

(Paul-Henri Steinauer, in: Hommage à Henri Deschenaux, 1988, 20.)

 ”Dear Mr. Haeusermann,
We have taken over the ____ portal beginning of November, which included an address database. We wrote to the people in the database once, and at the same time deleted the addresses.
[apologies]“

So far so good.

The conference on data protection was a big success, as the organizers were able to gather the crème of Swiss data protection lawyers. One of the lessons learned from the keynotes of Prof. Herbert Burkert (President of the FIR-HSG), Prof. Rainer J. Schweizer (President of the Federal Data Protection and Transparency Commission and member of the board of the FIR-HSG), Sig. Tiziana Mona (Member of the Federal Data Protection and Transparency Commission), and Hanspeter Thür (the Federal Data Protection and Information Commissioner) is that individual enforcement of data protection law (e.g. what I did vis-à-vis the spammer) is important, but other regulatory instruments can be more effective.

• As a first example, the Data Protection Commissioner may publish recommendations which are directed at the private sector and have covered fields such as the collection of data by property management companies, spamming, or the use of biometrical access controls by recreational facilities. Mr. Thür explained that these recommendations, though not binding, regularly provoke intense reactions (both positive and negative) from the public. He also has the impression that the recommendations have a much broader impact than court decisions (which are quite rare, btw).
• Second, in the fields of national security and the war on organized crime, the access right of individuals cannot but hamper these (largely) legitimate ends. In a recent judgment, which is currently on appeal with the Federal Supreme Court, the Data Protection and Transparency Commission decided on the basis of the European Convention on Human Rights that the access right has to prevail. That case is extremely interesting, and I’ll get back to it next year after the verdict of the Supreme Court. In essence, the Commission found the statutory mechanisms, by which individuals can have the lawfulness of data processing checked, ineffective and thus unconstitutional. Where the necessity of enforcement of data protection law by individuals results in crippled information rights, it seems to be a better idea to create institutional safeguards, for instance regular data protection audits with law enforcement and national security agencies by an independent, but trustworthy institution (e.g. the Data Protection Commissioner).

My first example is spamming, one of the digital scourges of mankind, and a phenomenon which has become recently under suspicion of deepening the digital divide between digital natives and older people (twenty-something +).

Lately, I received one of the few “domestic” spam emails, that is, one from a Swiss million pixel website. As spamming is not clearly illegal in Switzerland yet–an anti-spam amendment to the Unfair Competition Act is under way–, I decided to test that company’s data protection compliance:

Under Swiss (and European) law, every person whose data (i.e. information on an identifiable person) are processed, has an unconditional right of access ot these data, including the right to know the purpose of processing, the categories of data processed, the persons involved in the processing of data, the source of their data, etc. (Art. 8 of the Swiss Data Protection Act [in English]–its EU equivalent, though with a different scope, is Art. 12 of the Data Protection Directive 95/46/EC.)

The data controller has thirty days to respond to a request; the information must be given free of charge (with very narrow exceptions); and a violation of the right of access by the controller is punishable by a fine and/or up to 90 days of imprisonment.

This morning, I sent the spammer a request pursuant to Art. 8 Data Protection Act, mainly because I wonder how he got my email address, but also because requests like mine are apt to make spamming horribly expensive: It is hardly conceivable that these requests can be processed automatically. So, if only a small percentage of spammees “ask back”, they can make spamming prohibitively expensive, and probably even drive a SME out of business.

To conclude: the regulatory burden Art. 8 Data Protection Act creates can be a very effective weapon, which can be used against legitimate and illegitimate businesses.

“Karen McCullagh, PhD student at the Cathie March Center for Census and Survey Research, University of Manchester, is doing a survey on privacy attitudes and behavior of bloggers. Besides, some of the questions also deal with copyright issues.

This empirical work is very important because it will enable me to critically assess whether I’m on the right track with privacy legislation, especially in Europe!

So please take the survey if you have your own blog.

Thanks,

The Law.”

From this perspective, he seems a bit ungrateful, as he announced a host of lawsuits for public disclosure of private facts, which might not be a better idea than adding the ballroom dance scenes to his video.

In the meantime, some compliance officers might wonder whether they should recommend that the whole investment branch of their bank be fired or just the guy who forwarded the information first.  Seriously, this incident shows us that email usage policies are extremely difficult to enforce:  Firing a scapegoat HR staff assistant won’t likely scare the wits out of those who forwarded the information in the 1+nth instance, and I don’t think it should because gossip of that kind, as annoying as it may be for the subject, is part of everyday social life and much more harmless than many (or most) other forms of social interaction, such as mobbing, intrigues, and what we name in German “the use of elbows” to bring forward one’s carreer.

So, to terminate “Ivygate”, I suggest that the bank which leaked the information give the student the job he wants and let him use his elbows (only figuratively, please, we don’t want a bloodbath!) against all the guys who already made his acquaintance online.

By the way, if Switzerland had jurisdiction over the case, the person who initially forwarded the resumé to his or her friends would face imprisonment of up to 90 days and a fine of up to USD 30.000.  I don’t think it’s necessary to comment on the appropriateness of this legal solution to the problem.