A first and cautious look at the completely unsettled legal situation involving the protection of personality when netizens use Internet commerce devices for personal transactions.

By Markus Jungo, Attorney at Law in Switzerland (admitted to the bar of Zurich and of Fribourg) and foreign LL.M. student at the University of Miami School of Law,

Coral Gables, Florida, USA. For more information or if you have any suggestions please contact me via e-mail at my student address or after graduation (May 1996) at my ordinary address.

Copyright © April 1996, Markus Jungo, all rights of reproduction reserved.



Use of global Internet computer network is rising exponentially. Although estimates are unreliable due to the astronomical growth of the Internet, it is believed that the Internet connects at least 59,000 computer networks and 2.2 million computers in different 159 countries [1]. There are now an estimated 20 - 40 million Internet users [2], called netizens, and it is believed that this number will increase, by the end of this decade, to 240 million [3]. The Internet grows today at a rate of 10 - 15 % per month, and a new online network is connected to the Internet every 30 minutes [4]. While most individual Internet users are connected to the service through an Internet Service Provider (ISP), larger businesses and institutions often have a direct connection to the Internet. For example, most universities in the United States and in Europe are now directly connected to the Internet and provide free accounts to their students, faculty, and staff.

During the last few years an increasing number of reputable commercial corporations have created their own Web-Sites. While the majority of them - mainly for promotional purposes - simply provide general information about their products and services [5], a minority of businesses are actually using the Internet as a device to conduct business directly over the Internet. For example, an increasing number of business corporations operate so called cyber-malls where consumers can place orders through their home computers connected to the Internet [6], on-line banking is now widely available [7], and even flight tickets can be booked on-line today [8]. All these activities are now possible on the user's home computer over the Internet. Although estimates vary, it is widely agreed that electronic commerce over the Internet, is set for explosive growth. Some people believe that approximately 15 % of consumer purchases may be electronic transactions by the end of this decade [9]. Thus, it is clear that consumer habits will change with the course of time and that comfortable and easy home shopping through the use of the customer's computer will increase considerably in the near future. However, one must also bear in mind the potential impacts of these new technologies. Among the rather negative and frightening impacts of Internet commerce is the exposure of the consumer's personal data to his contractual partner - the content provider - and the collection and processing of this data by the latter or third parties. By the means of Internet commerce, both public and private organizations are acquiring unprecedented abilities to build, sell, and use consumer profile data, since every single transaction on the World Wide Web (WWW), from cyber sale to information acquisition by simply reading a Web-article, can be recorded and archived by either party to it [10]. Most WWW browsers are designed to allow routine monitoring. For example, Netscape, today's most popular browser, tells the owner of every Web-page the IP address of every visitor and the URL of the page most recently visited by that person. Even the user's e-mail address is transmitted, when the user employs his browser to send electronic messages over the Internet [11]. Therefore, the Internet enables cyber businesses to form precise consumer profiles based on the consumer's transactions with them. Moreover, these data can been transmitted to any other businesses or to commercial companies specialized in the business of data processing.

Yet, big data collection businesses already receive and systematically process such data from various cyber businesses and sell their specific consumer profiles to other companies. For example, Electronic Data System Corporation (EDS), in Plano, Texas, is probably the most important and powerful data processing company in the world. Established in 1962 by Ross Perot, EDS was sold in 1984 to General Motors. Although EDS is practically unknown, the company knows highly personal and confidential consumer data and establishes consumer profiles on millions of people [12]. EDS' customers, such as Apple Computers, American Express, Xerox and of course General Motors, provide the company with the necessary information. When one buys a new GM car, EDS will automatically receive the data about the GM customer's favorite color and his life style. Moreover, American Express provides EDS with more specific data about their customer's spending habits and even air travel is recorded at EDS, since the world-wide flight booking system, called Amadeus, is also connected with EDS - [13]. Thus, EDS possesses more specific and by far more numerous data about us than any other company or organization in the world, including our tax agencies and police departments [14]. Obviously, EDS is not the only company systematically collecting and processing consumer data. ISSC, for example, a subsidiary of IBM, or Debis AG, a subsidiary of Daimler Benz AG, are also engaged in the data collection and processing business [15].

However, the fact that these data processing companies possess and control without any restrictions highly personal or even confidential data is somehow frightening, at least if you are familiar with the basic concepts of the Data Protection Acts and the relevant provisions about the protection of personality in the different European countries. Considering the upcoming data flow in future Internet commerce transactions, it is likely, that even more specific and numerous data will be available in the near future, and, therefore, the problem of this issue will remain actual.

This article will examine the legal problems related to data collection and processing obtained through international Internet commerce transactions under the view of the Swiss law. Since the Federal Data Protection Act (DPA) [16] is not applicable when the data is acquired and collected outside of Switzerland, this article will basically focus on the relevant provisions concerning the protection of personality set forth in the Swiss Civil Code (CC) [17]. However, the DPA may nevertheless have some important impact as to the interpretation of the relevant statutes of the Civil Code about the protection of personality.

Writing about legal aspects of the Internet is certainly a challenging task. The law regarding the Internet in general, and especially the protection of personality in cyber space, is completely unsettled and unprecedented in Switzerland. To my knowledge, there are no Swiss precedents or statutes dealing specifically with Internet law. This is certainly due to the relative new character of this medium and the fact that the Internet is not (yet) as widespread in Switzerland as in the United States. Facing the lack of any clear precedents or statutes and the fact that this issue is yet to be resolved by the competent Swiss courts, this article represents a purely personal view of the author as to how the actual legal provisions about the protection of personality may be applied in international Internet commerce transactions.


The Swiss law protects personality, including the rights of life, limb, body, health, reputation, privacy, and the right to personal liberty. The provisions of the Civil Code about the protection of personality (Articles 27 to 29 CC) are complemented by the Federal Penal Code (PC) [18] and the individual liberties mentioned in the Federal Constitution (FC) [19] or in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECPHRFF) [20]. The meaning of personality in the Swiss Civil Code is very broad and includes all rights which are inseparably connected with every person [21]. It is worthwhile noting that protection of personality is not only available to physical persons but also to legal entities [22]. The relevant provisions in the Swiss Civil Code can be divided in legal safeguards of personality against oneself (called internal protection of personality) and against others (called external protection of personality) [23].


Freedom of a person is fundamental but non unlimited. Social life justifies restrictions as long as the basic rights inseparably connected with that person are not infringed. Persons may limit their freedom if this limitation is not against law and morality. Experience has shown that persons themselves sometimes agree to restrictions on their own personality under outside pressure [24]. In order to protect a person from his own actions, Article 27 CC bearing the title "excessive commitment", limits the ability of a person's contractual capacity by providing:

"No person can wholly or partially renounce his capacity to have rights and to effect legal transactions.

"No person can alienate his personal liberty nor impose any restrictions on his own enjoyment thereof which are contrary to law and morality." [25]

Thus, a commitment for life or an agreement to comply without restriction with another person is void [26]. Therefore, a person can not legally promise never to marry or never to change his political ideas or his religion. For the same reasons a commitment to remain a lifetime member in an association is also void. However, more delicate problems arise in the area of contracts, for example in employment and lease agreements [27]. Since there is no general test as to what "excessive" exactly means, the courts decide this issue on a case to case basis [28]. However, in cases where monetary questions are involved, the courts are more reluctant to apply Article 27 CC, since this statute - as a general rule - does not prohibit a person to commit himself or herself beyond his or her financial capacities [29]. On the other hand, Article 27 CC is a useful remedy against so called eternal contracts whereby the maximum term of the contract depends upon the intensity of the commitment [30]. There are also some statutory guidelines as to what excessive means: for example, a court may cancel a contract that has deeply wronged a person who was inexperienced or in severe financial difficulties at the time the contract was entered based on Article 21 of the Federal Code of Obligations (CO) [31].

Although Article 27 CC is not applicable to or directly relevant in the field of data collection and processing, it is worthwhile mentioning it in order to gain a general understanding of the legal concepts of protection of personality set forth in the Swiss law.


Since data collection and processing is carried out by third parties, we first have to examine the legal bases for the protection of personality against others. The relevant statutory provision in this regard is Article 28 CC which reads as follow:

"Where anyone is injured in his person by an illegal act, he can apply to the judge for his protection from any person who takes an active part in effecting the injury.

An injury is illegal where it is not justified by the injured person's consent, by a predominantly private or public interest or by law." [32]

Through these simple words Article 28 CC protects a large variety of rights, such as life, limb, body, health, reputation, privacy, and the right to personal liberty. Although the Federal Supreme Court stated that there is no exhaustive list as what exactly falls under the protection of personality [33], there are, nevertheless, three major categories of personality protected by the said provision, i.e. physical, affective and social personality [34].


This important right relates to the right to life and to physical and psychological integrity; it also includes the right to sexual freedom and to freedom of movement [35]. Furthermore, every person has the right to decide what shall happen to his body after death [36].


Article 28 CC also protects the mental and emotional aspect of every person, especially in the field of family relationship. Whoever disturbs the matrimonial life of a couple [37] or the relationship between the parents and their child by unduly influencing the latter [38] violates Article 28 CC. The rationale in these cases is that an affective relationship can be so intense that a direct violation of the personality of the injured person has also an indirect effect on the personality of the other [39]. For example, an illegal death [40] or a severe physical injury with permanent consequences [41] of a person can give raise to a claim under Article 28 CC to the close standing person, if the latter is particularly affected by that event.


Life in society also requires the protection of our social personality. The term social personality includes honor and dignity, privacy, name, and personal data [42].


The law protects a person's honor widely, including social aspects and reputation in the professional, economical and social field [43]. Honor may be damaged by accusations, libels, slanders, wrong information and undue criticism [44]. However, the degree of protection depends upon the social and professional exposure of the injured party [45]: a well known person actively engaged in the political life [46] or a publisher of an academic article heavily criticizing an opposing view must sustain a higher level of accusation and criticism than an ordinary person [47]. On the other hand, unnecessary offensive or embarrassing accusations or criticism may still violate Article 28 CC, although the other side is a publicly well known person [48].


The law also protects privacy, meaning all personal facts and information which are known only to a limited number of persons [49]. Therefore, the exposure and transmission of facts and information not destined to be known by other people constitutes a violation of Article 28 CC [50]. The Federal Supreme Court has in this regard decided that the exposure and transmission of someone's picture or voice is also a violation of the said provision [51]. Privacy also includes facts and information that are meant to be kept secret or confidential, i.e. facts and information that are shared with nobody else or only with a limited number of people [52] (for example, with a doctor for medical reasons or with an attorney for legal purposes). Thus, the law distinguishes between the private and confidential life of a person. The reason for doing so, is the fact that the limits of protection are not the same for a well known person and somebody less known [53]. The former is expected to receive less protection than the latter [54]. Thus, since politicians, actors, or sportsmen are publicly more exposed, only their secret and confidential life is subject to the protection of Article 28 CC, if their popularity has reached a certain limit. However, it is clear that it can be difficult in some cases to distinguish what exactly falls under the private life of a well known person on one hand and the confidential or secret life on the other hand [55].

The right to privacy pursuant to Article 28 CC also includes the protection against data collection and processing [56], since personal data are clearly not destined to be known by any third parties. However, this issue will be examined in more detail in a separate paragraph [57].


The person's name is basically protected by Article 29 CC which provides:

"Where a person disputes the right of another person to his name, the latter can apply to the judge to have his name established.

Where a person assumes the name of another to the latter's prejudice, the latter can apply for an injunction to restrain the continuation of this assumption, and can in addition claim damages if the act is proved wrongful, and moral compensation if this is justified by the nature of the wrong suffered." [58]

However, when a dispute involving the protection of name is not covered by the above statute, the general rule of Article 28 CC is still available for legal relief [59].


It has been recognized for a long time that Article 28 CC provides a legal remedy against data collection and processing by third parties. Therefore, storage, modification, and transmission of personal facts and information violates Article 28 CC, if his or her sphere of privacy, confidentiality, or secrecy is affected [60]. Hence, the injured party has a right to restrict or prohibit the processing of such data by any third parties [61]. However, the provisions in the Civil Code are rather unclear and very superficial as to the exact circumstances under which personal data processing is a violation of personality, since they do not provide any clear guidelines [62]. Therefore, the Swiss Parliament in 1992 enacted the Data Protection Act (DPA) [63] aiming the protection of personality and the fundamental liberties of the people whose data are processed [64]. Although some commentators believe that the protection of privacy in the field of data processing provided by the Civil Code is now substituted by the DPA [65], the history of the act makes is clear that the DPA is merely a complementary legislation of the basic principles set forth in Article 28 CC [66]. Thus, an injured party can still base his or her claim on Article 28 CC, if the DPA - for whatever reason - is not available for legal relief.

Although the DPA is basically not applicable in international Internet commerce transactions [67], the act may nevertheless be relevant in order to determine the exact circumstances under which data processing constitutes a violation of personality. Article 12 Section 1 DPA sets forth the principle rule according to which data processing, infringing the right of personality, is illegal. Section 2 DPA provides a non-exhaustive list of infringements. For example, the act explicitly states that data processing against the expressed will of the injured party (Article 12 Section 2 Letter b DPA) or data transmission enabling the recipient of such profiles to form an opinion about crucial aspects of the personality of the injured party (Article 12 Section 2 Letter c DPA), are illegal. On the other hand, if the injured party has made his or her data generally available and did not expressly prohibit the processing of his or her data, there is, in general, no violation of personality (Article 12 Section 3 DPA). The said provisions of the DPA are merely a clarification as to what constitutes a violation of personality set forth in Article 28 CC. If a person expressly opposes data processing based on the above mentioned rule in the DPA, he or she also would have a claim under Article 28 CC, since data processing "is not justified by the injured person's consent" [68], and data transmission to third parties enabling the recipient to form an opinion about crucial aspects of the injured person's personality is per se a violation under Article 28 CC. Moreover, processing general available data is also under the provision of the Civil Code allowed, provided that these data do not enable the owner to establish an exact profile of the injured party. Thus, excepted from the rules concerning the injured party's consent (i.e. express or implied consent), there is no substantive difference between the law under the DPA and the Civil Code. This leads us to a very important question: whether or not providing personal data during the course of a commercial Internet transaction constitutes implied consent that the consumer's data can be stored or processed by the content provider or any third parties. However, from a systematic point of view this issue will be discussed in the next couple of paragraphs, dealing with the limits of the protections of personality.


Article 28 Section 2 CC itself states the legal justifications available in cases where someone's personality has been infringed, i.e. the injured person's consent, the predominately private or public interest and the law. Thus, an action infringing someone's personality can nevertheless be allowed, if a legal justification exists. It is worthwhile noting that the burden of proof for these legal justifications lies upon the infringing party [69].

2.4.1. CONSENT

Since the right to personality set forth in Article 28 CC is not a mandatory provision, a person who has previously given his or her consent to or who has later approved the infringing action is legally bound by his or her consent or approval. The consent or approval can be express or implied, however, the consent is always revocable until the infringing action has taken place [70]. In cases involving the physical personality in the medical field (e.g. surgery), the Supreme Court has placed on the doctor a duty to inform his or her patient in order that the latter's consent is free and enlightened [71]. Special problems may arise if the injured person is not able to give his or her consent because the latter is either under guardianship or lies unconscious in the hospital and has no legal representative who could act on his behalf [72]. However, it is worthwhile noting that there is no general duty to inform the injured party outside of the medical field, but limits may nevertheless apply; for example, according to general principles of contracts a consent contrary to morality is void [73].

In the field of data collection and processing Article 13 Section 1 DPA - much like Article 28 Section 2 CC - expressly provides that the injured person's consent is a legal justification. However, commentators require in this regard that the injured party's consent must be given on a free and enlightened basis under the DPA and the CC [74]. Furthermore, it is obvious that prior to the infringing action the consent is freely revocable [75]. Thus, the legal rules regarding data processing in commercial Internet transactions are pretty clear if there is an express statement by the computer user permitting or prohibiting the processing of his or her personal data. However, in most cases no such express statement exist. Furthermore, the computer user, while electronically shopping on the Internet, is generally not aware of the fact that his or her data are systematically processed by the content provider or even by third parties. In most cases, they even ignore the fact that their browser transmits personal data by simply surfing on the Internet. Does providing personal data in a freely entered commercial Internet transaction or simple surfing on the Internet constitute implied consent for storage or transmission of personal data by the content provider or third parties? The author of this article must admit that this is a unsettled issue under the Swiss law. But based on the fact that the injured party's consent must be given on a free and enlightened basis, an implied consent can only be found in cases where the Internet shopper or surfer is on actual notice of the fact that his or her personal data are systematically processed by the content provider or transmitted to third parties. Hence, in all other cases - for example, where the injured party has no actual knowledge about a systematic data processing because the computer user does not know that he reveals personal data by simple Internet surfing or because he believes that the transmitted data in the course of a commercial Internet transaction will be used strictly for purposes of that particular deal - data collection and processing must be regarded as illegal under Article 28 CC for lack of sufficient consent.


An infringement of personality against the injured party's will may still be legal, if a predominately private or public interest exists. The Federal Supreme Court stated that when a careful balancing of the involved interests clearly comes to the result that the infringing party's interest is predominant, an infringement of personality may be legal [76]. However, no such predominant interest exists in cases where the right to life is involved [77].

A predominant private interest must be based on general accepted values and mere profit concerns do not justify an infringement of personality [78]. However, a predominant private interest may exist in the medical field, if in an emergency case a consent is not available either by the patient itself or by his or her legal representative [79]. However, in the field of data processing a predominant private interest is hard to imagine.


Unlike the private interest, the predominant public interest plays a more important role in the Swiss legal system as to the limits of the protection of personality. The reason for it is the constitutionally guarantied freedom of press (including all kinds of media like the written press, television, and radio) set forth in Article 55bis of the Federal Constitution. Therefore, the public interest in receiving objective, full and accurate information about events of general importance may well conflict with the right of privacy set forth in Article 28 CC. In such a case the judge must consider the particular situation and task of the press while interpreting the relevant provisions about the protection of personality [80]. On the other hand, the freedom of press does not permit a general violation of the right to privacy [81]. Especially in cases where false or incomplete facts are spread by the press, the courts have held that such doing was illegal under Article 28 CC [82]. Concerning the expression of opinion diffused by the press, the courts held that the point of view must be justifiable and not untenable [83]. It is clear that the limits of protection are different for a well known person and someone less known. The former is expected to receive less protection than the latter [84]. For example, the Swiss press while reporting about court cases is not allowed to reveal the names or even the initials of the involved parties unless one or both parties are celebrities [85]. This is the reason why the identity of the involved parties is practically always kept secret in Switzerland, even in the official court reporters, if personal facts are revealed or discussed in that decision.

There are also some predominant public interests involved in the field of data processing. The DPA expressly states that data processing can serve as a predominant public interest [86], for example, if the data are processed in direct connection with a commercial deal [87], in order to establish a credit report in direct connection with a commercial deal [88], or for research, planning, or statistic purposes [89]. Furthermore, if the processed data is about a commercial competitor [90] or a publicly well known person [91], it is also legally justified based on public interest. However, public interest may never justify data processing, if the data are wrong or illegally obtained, or if its purpose is pure advertisement [92]. Hence, there are no reasons why the predominant public interests recognized in the DPA should have another meaning in the Civil Code. Therefore, the predominant public interests provided in the DPA can also be used as a legal justification in cases based on the protection of personality set forth in Article 28 CC.

The first two legal justifications (data processing in direct connection with a commercial deal and for purposes of establishing a credit report) may need some further discussion. In a commercial Internet transaction we have so far distinguished two types of data processing: the consumer's data are collected and processed in connection with particular commercial transaction or his or her data are systematically collected and processed for other purposes, for example, in order to establish consumer profiles (either by the contractual partner itself or by a third party). Therefore, if the content provider during the course of a commercial Internet transaction checks the consumer's credit report and transmits related data to the report managers or if he stores the consumer's data in connection with a particular deal in his or her own database, there is no violation of personality under Article 28 CC. The same is true in cases where the content provider simply records and monitors the visitors of his web-page. However, as soon as the content provider processes these data for other purposes, such as establishing consumer profiles or in order to build up advertisement mailing lists, an illegal infringement of personality under Article 28 CC exists.

2.4.4. LAW

In some rare cases the law justifies an infringement of personality. For example regarding the protection of the physical personality, a person can be legally forced to cooperate in the course of a parentage procedure by giving a blood sample for a DNA analysis [93]. However, the legal justification based on the law is merely relevant in the field of data processing.


If an infringement of personality and no legal justification exist, the injured party is entitled to the following remedies set forth in Article 28a CC:

"The plaintiff can apply to the judge for:

1. an injunction of the imminent injury;

2. the removal of an existing injury;

3. a statement of illegality of an injury where the continuation of the illegal act has a disturbing effect.

In particular he can demand that the rectification or the judgment is made known to a third party or published.

Reservations are made for an action for damages and moral compensation as well as the handing over of profit in compliance with the provisions made for agency of necessity." [94]

It is important to note that no other requirements exist in order to bring a suit under Article 28a CC, i.e. there is generally no scienter required. However, in cases involving monetary damages, the plaintiff must show scienter [95].


If an imminent injury exists, the injured party can apply for an injunction to stop a future infringing doing. The plaintiff must show that the imminent injury is serious, meaning that he has an interest in legal protection, in order to receive a court injunction [96]. The injunction is an important legal device to prevent a future infringing action, for example, to prevent a newspaper from publishing an upcoming article infringing someone's privacy. However, in the field of data processing this device is of lesser importance.


An action for removal is available in cases where the injury is still existing. Its purpose is to reinstall a legal situation by ordering the defendant to stop his infringing. For example, the judge can order the defendant to stop any further distribution of a book infringing the plaintiff's privacy or to destroy an infringing image intended to be published by the news media.

This legal device is very useful in the field of data processing. For example, the plaintiff can apply for a judgment ordering the defendant to correct or to destroy the plaintiff's personal data in the latter's database [97]; he can also request a court order prohibiting the defendant to transmit the plaintiff's data to third parties [98]. By this device a computer user can effectively stop an Internet content provider from illegally processing and transmitting his personal data to third parties. However, it may be very difficult for the computer user to gain knowledge or to establish that such an illegal act actually took or is still taking place, since the infringing party generally does not notify the computer user about their illegal data processing. Moreover, the foreign content provider in international Internet transactions is probably not even aware of his wrong doing, if his domestic law - unlike the Swiss law - allows such data processing [99]. However, the fact that an illegal doing may not always be discovered or legally pursued does not change the fact that some kinds of data processing are illegal under the Swiss law.

During the course of the enactment of the DPA the Swiss Parliament was aware of the fact that an effective protection of personality in the field of personal data required the introduction of a provision granting a general right to information against any owner of a database. Hence, according to Article 8 Section 1 DPA everybody is entitled to request information from any data owner, if the latter processes data about him or her. If there are personal data about the requesting party processed, the data owner is obliged to disclose these data and to indicate the purpose of processing, the different categories of data, and the recipients of these data (Article 8 Section 2 DPA). Furthermore, every database located in Switzerland must be registered at the Federal Agent for Data Protection and his register is publicly open (Article 11 Section 1 DPA). However, it is important to note that the right to information is only available under the DPA and that the Civil Code does not provide such a general right to information.


The plaintiff can apply for a declaratory judgment, if the wrong doing has a continuing disturbing effect, and if no injunction or removal orders are available in the case. The reason for the second requirement is the fact that according to the general principles in the Swiss civil procedure, a declaratory judgment is an alternative judicial device only [100]. However, a declaratory judgment often is ineffective in real life, since the court judgment in such a case consists of a piece of paper declaring that a specific act is or was illegal; this is also true in the field of the protection of personality [101].


Publication of the judgment or its notification to third parties are also very important legal devices if someone's personality has been infringed, especially if the defendant is engaged in the press business or runs a media business [102]. However, its importance is rather limited in the field of data processing.


According to Article 28a Section 3 CC actions for monetary claims, such as action for damages and moral compensation are expressly reserved. However, the grounds for monetary awards in the field of data processing are very limited, since personality infringement cases merely cause monetary damages and rarely reach the necessary level for moral compensation. Furthermore, the awarded amounts in Swiss moral compensation cases are ridiculously small compared with American cases [103], and punitive damages are prohibited under the Swiss law. Hence, the Swiss courts do not make plaintiffs rich.


Based on the foregoing analysis, a computer user whose personal personality has been infringed by illegal data processing is legally entitled under Article 28a CC to request the data owner that his or her personal data are corrected according to his or her instruction or destroyed by deleting the data from the owner's database. If the computer user is only concerned with the unlimited data flow between various databases, he can limit his request in order that the data owner is only prohibited to transmit the user's personal data to other databases. However, there are also other legal remedies available, such as injunction, declaratory or monetary judgment, or publication of the judgment, however, they are rather ineffective in the field of data processing.


This article deals with legal problems in international Internet commerce transactions. Thus, the Internet content provider in our hypothetical problem is domiciled, incorporated or doing business in a foreign country and the only contact to Switzerland is the fact that he processes data of people or business entities domiciled, incorporated or doing business in Switzerland. The crucial question is whether or not the content provider under these circumstances is subject to the Swiss jurisdiction.

Since this problem involves international facts, we first must consider the legal rules set forth in the Swiss Private International Law Act (PILA) [104] dealing with international jurisdiction, conflict of laws and recognition of foreign judgments. The main rule regarding jurisdiction in the international context is that jurisdiction lies at the defendant's domicile [105], respectively for business entities at their seat or where the company is in fact administrated [106]. The historical base of these provisions is the old Roman rule of "actor sequitur forum rei" [107]. However, the PILA provides for various special places of jurisdiction. Since infringements of personality are considered as tort claims (or in PILA's wording: unlawful acts), the rule set forth in Article 129 Section 1 and 2 PILA is applicable [108]:

"Lawsuits based on unlawful acts are subject to the jurisdiction of the Swiss courts at the domicile of the defendant or, if he or she has none, at the place of his or her habitual residence or business establishment.

If the defendant has neither his or her domicile, nor his or her habitual residence, nor his or her business establishment in Switzerland, jurisdiction lies with the Swiss court where the act occurred or where it had its effect." [109]

Thus, although the Internet content provider in our hypothetical problem is domiciled in a foreign country, he is nevertheless subject to Swiss jurisdiction, because the illegal data processing clearly has its effect in Switzerland, i.e. at the place where the infringed party is domiciled, incorporated or doing business. Therefore, based on Article 129 Section 2 PILA the Swiss courts are competent to adjudicate a personality infringement lawsuit against a foreign based Internet content provider.


Now, having determined that the Swiss courts are competent to hear a personal infringement lawsuit against a foreign Internet content provider, our inquiry does not stop here. What law is applicable to the lawsuit, the law where the Internet content provider is domiciled or Swiss law? This is an important issue, particularly in cases where the application of these laws would result in a different outcome of the suit. Hence, if Swiss law applies to the dispute, an injured party may well be able to receive a judgment ordering the data owner to delete the injured party's data in his or her database or to restrain the former from transmitting the data to third parties. On the other hand, if the court applies the law of the place where the data owner is domiciled or doing business, the chances that the injured party will receive appropriate relief are rather small, since the data owner presumably complies with the legal rules regarding data processing in his own country and state.

Concerning the applicable law we must look at Article 139 PILA, dealing with violations of the right of personality, which reads as follow:

"Claims of violations of the right of personality by media, especially by press, radio, television or other means of public information, are governed at the option of the damaged or injured party:

{a} by the law of the country of the damaged or injured party's habitual residence, if the damaging party should have expected the effect to occur in that country;

{b} by the law of the country of the country of the damaging party's business establishment or habitual residence; or

{c} by the law of the country where the damaging act has its effect, if the damaging party should have expected the effect to occur in that country.

The right to present an opposing view in recurrent media is governed exclusively by the law of the country where the periodical was published, or the radio or television broadcast was made.

Subsection 1 also applies to claims of violations of the right of personality by handling personal data and by impairing the right to receive information on personal data." [110]

It is important to note that Subsection 3 PILA was introduced in 1992 simultaneously with the enactment of the DPA. Therefore, one could make the argument that this provision is only applicable to cases which are directly based on the DPA and not in other cases of infringements of personality based on Article 28 CC even though they also involve illegal data processing. In such a case the general rule of Article 133 Section 2 PILA, entitled "No Applicable Law Chosen", governs which reads as follow:

"If the damaging and the damaged or injured party do not have their habitual residences in the same country, the law of the country where the unlawful act was committed is applicable. If the effect did not occur in the country where the unlawful act was committed, the law of the country where the effect occurred is applicable if the damaging party should have expected the effect to occur in that country". [111]

Hence, although the wording in both statutes is slightly different, it is completely irrelevant which provision about the governing law applies, since the relevant legal issue remains the same under both statutes: should the Internet content provider have expected that the effect of his or her illegal data processing occurs in Switzerland? To my knowledge, there are no judicial precedents regarding this issue and also the commentators and the legislator's history are silent on this particular point. It is clear that numerous arguments can be found to support either side. Probably the most powerful argument against the application of Swiss law is that a particular national law generally has no extraterritorial effect. If a foreign Internet content provider must comply with the legal provisions about the protection of personality set forth in Article 28 CC, this implies in fact an extraterritorial application of Swiss law, a law that the content provider is not familiar with. Moreover, if the Internet content provider processes data of computer user's located all over the world, such an approach would compel the former to comply with the domestic laws of all these countries. However, there are numerous examples where the courts of various countries held that a particular law also applies to a foreign party if the latter have relevant contacts to the country even though the defendant is not physically present in that jurisdiction [112]. The main argument in favor of the application of Swiss law is that the foreign Internet content provider while processing the injured party's personal data actually had knowledge that the latter was domiciled in another country. Under these circumstances he reasonably could have expected that his or her data processing had some effects in that country, whereas it is irrelevant whether he knew about the illegality of his or her doing.

As previously noted, this issue is legally completely unsettled. However, I suppose that a Swiss court in such a case would nevertheless apply its own domestic law for the four additional reasons. First, it is a fact that the courts - domestic or foreign - are very reluctant to apply a foreign law to a dispute before their bars, unless a compelling reason exists for doing so. Here, the court has a possibility to construe the relevant statute regarding the applicable law in such a way that Swiss law applies. In such cases the courts highly prefer to apply their own domestic law to the dispute. Second, even if Swiss law applies, this would not result in an unlimited extraterritorial application of domestic law. Indeed, the application would be limited to computer user's domiciled in Switzerland only. Moreover, the Internet content provider is in the best position to undertake a selective choice as to whose personal data to process. Third, the application of Swiss law would not lead to unnecessary hardship to the data owner. The only action requested by the data owner is that the latter deletes the disputed data from his or her database or that he or she is restrained from any further transmission to third parties. It is important to note in this regard that the court can not extend the order to personal data belonging to other people who are not participating in the suit. The Swiss law does not provide any kind of class actions. And last but not least, the injured party would be left without appropriate relief, should a foreign law which - in contrast to Article 28 CC - allows such data processing govern the dispute. For these reasons, I assume that Swiss substantive law will govern a dispute between a computer user and a foreign data owner as to the issue of data processing obtained through international commercial Internet transactions.


We have seen that Article 28 CC provides a very effective and powerful device for netizens as to the protection of personality in regard to their personal data while performing international commercial Internet transactions. They can apply for a judgment ordering any foreign data owner to delete such data from their database or to restrain the latter from transmitting the data to third parties. However, another issue is whether or not such a court order will be recognized and enforced in the data owner's home country, if the latter refuses to comply with the foreign judgment. A general answer to this issue is merely possible and not the subject of this article. Among the various factors to consider are the law of the state and country where the data owner is domiciled or doing business, proper service of process, public policy, fraud and so on. However, given the fact that such a judgment actually affects few data only and does not really have any significant impact on the defendant's business (no monetary claims involved), I assume that the latter - despite any enforcement difficulties - has no real interest not to comply with such a foreign judgment order.


[1] See General Accounting Office, Report to Congress: Information Superhighway - An Overview of Technology Challenges, January 1995, at chapter 1. However, other sources speak of 5 million computer hosts: see Anthes, Summit Addresses Growth Security Issues for Internet, Computerworld, April 24, 1995, at 67.

[2] See Peter Lewis, On the Net, New York Times, May 29, 1995; see also White House Interagency Task Force on the National Information Infrastructure, The Global Information Infrastructure: Agenda for Cooperation, February 15, 1995, at 5.

[3] See Internet World Magazine, Internet 95, November 1995, at 47.

[4] See White House Interagency Task Force on the National Information Infrastructure, supra note 2, at 6.

[5] See e.g. for car manufacturers Buick; Cadillac; Lexus; Plymouth; Pontiac; Saab; Toyota; Volkswagen.

[6] See e.g. JTek Enterprises; Music World Mall; NetNik; PC Mall; Smart Store Virtual.

[7] See e.g. Advance Bank; Bank Austria On-Line; BankNet; Bay Bank Online; CyberBank; European Union Bank; First Interstate Bank. Mark Twain Bank is the first and until today the on-line bank providing also e-cash to their customers.

[8] British Midland is apparently the first and only airline corporation in the world providing an on-line booking service for domestic and international flights over the Internet.

[9] See Holland & Cortese, Where E-Cash Will Take Off, Business Week, June 12, 1995, at 70.

[10] See Froomkin, Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases, To be published in a Symposium Volume of the University of Pittsburgh Journal of Law and Commerce in 1996, at Paragraph D (Data Collection and Profiling: Towards the Argus State?), Draft available online.

[11] Id, at Paragraph D/1/e (Reading and Viewing Habits).

[12] See Rieger, Denn sie wissen, was wir tun, Spiegel Special, March 1996, Hamburg.

[13] Id.

[14] Id.

[15] Id.

[16] Federal Data Protection Act (DPA), dated June 19, 1992, (Bundesgesetz vom 19. Juni 1992 über den Datenschutz, DSG, SR 235.1).

[17] Federal Civil Code, dated December 10, 1907, (Schweizerisches Zivilgesetzbuch vom 10. Dezember 1907, ZGB, SR 210).

[18] Federal Penal Code, dated December 21, 1937, (Schweizerisches Strafggesetzbuch vom 21. Dezember 1937, StGB, SR 311).

[19] Federal Constitution of Switzerland, dated May 29, 1874, (Bundesverfassung der Schweizerischen Eidgenossenschaft vom 29. Mai 1874, BV, SR 101), text available online.

[20] ECPHRFF, dated November 4, 1950, (Europäische Menschenrechtskonvention vom 4. November 1950, EMRK, SR 0.101).

[21] Federal Supreme Court Decision (FCD) 84 II 573.

[22] FCD 95 II 488; FCD 97 II 99 et seq.; FCD 106 II 378.

[23] See Tuor & Schnyder, Das Schweizerische Zivilgesetzbuch, Zurich 1986, at 83.

[24] See Dessemontet & Ansay, Introduction to Swiss Law, The Hague 1995, at 53.

[25] All Swiss laws, including the Swiss Civil Code, exist in three official languages, i.e. German, French and Italian. Therefore, any English version of the Swiss law is an unofficial translation of the German, French or Italian text. For an English translations of the Swiss Civil Code, see for example Williams Wyler & Wyler, The Swiss Civil Code, English Version, Zurich 1987. The translations cited in this article are based on their wording.

[26] FCD 93 II 290; FCD 112 II 434.

[27] FCD 114 II 162.

[28] See Tuor & Schnyder, supra note 23, at 84.

[29] FCD 111 II 337.

[30] FCD 93 II 300; FCD 103 II 185 et seq.; FCD 107 II 216 et seq.

[31] Federal Code of Obligations (CO), dated March 30, 1911, (Schweizerische Obligationenrecht vom 30. März 1911, OR, SR 220).

[32] See supra at note 25.

[33] FCD 95 II 491 et seq.

[34] See Bucher, Natürliche Personen und Persönlichkeitsschutz, Basel 1995, at 149.

[35] Id.

[36] See Dessemontet & Ansay, supra note 24 at 54.

[37] FCD 109 II 4 et seq.

[38] Decision of the Court of Appeal of St. Gallen, in: Swiss Law Review (Schweizerische Juristenzeitung, SJZ), 1977 # 40, at 110 et seq.

[39] FCD 109 II 359 et seq.

[40] Article 47 CO.

[41] FCD 112 II 220 et seq.; FCD 117 II 56.

[42] See Bucher, supra note 34, at 151 et seq.

[43] Id, at 157.

[44] See Dessemontet & Ansay, supra note 24, at 54.

[45] FCD 106 II 98.

[46] Id; FCD 111 II 210 et seq.

[47] Decision of the Court of Appeal of Berne, in: Review of Berne's Lawyer's Association, (Zeitschrift des Bernischen Juristenvereins, ZBJV), 1992, at 171.

[48] FCD 106 II 99.

[49] See Bucher, supra note 34, at 152.

[50] Id.

[51] See Dessemontet & Ansay, supra note 24, at 55, noting that the right of a person to his picture or voice is recognized independently from that of privacy.

[52] See Bucher, supra note 34, at 153.

[53] FCD 97 II 97.

[54] See Dessemontet & Ansay, supra note 24 at 54.

[55] See Bucher, supra note 34, at 153.

[56] Id.

[57] See infra at Paragraph II/2.3.4. (Protection of Personal Data).

[58] See supra at note 25.

[59] FCD 95 II 486 et seq.; FCD 102 II 161 et seq.; FCD 108 II 243.

[60] FCD 97 II 97 et seq.; FCD 109 II 353.

[61] FCD 119 II 225.

[62] See Pestalozzi Gmuer & Heiz, Business Law Guide to Switzerland, Wiesbaden 1992, at 609.

[63] See supra at note 16.

[64] See Article 1 DPA.

[65] See Bucher, supra note 34, at 155.

[66] See Peter, Das Datenschutzgesetz im Privatbereich, Zurich 1994, at 71.; Accompanying report to the DPA (Report), dated March 23, 1988, at 22.

[67] See supra at Paragraph I, noting that the DPA applies only if the data were acquired in Switzerland. In regard to transnational data flows (i.e. data acquired in Switzerland, but processed or stored abroad) Article 6 DPA allows data flow across the national border, if the recipient's country provides a similar level of data protection.

[68] See Article 28 CC.

[69] FCD 86 II 378; FCD 108 II 64.

[70] See Bucher, supra note 34, at 163 et seq.

[71] FCD 108 II 61 et seq.; 114 Ia 358; 119 II 458.

[72] See Bucher, supra note 34, at 164-165.

[73] See Article 20 CO.

[74] See Bucher, supra note 34, at 166.

[75] Article 27 Section 2 CC.

[76] FCD 95 II 491 et seq.; 97 II 103 et seq.

[77] FCD 101 II 197.

[78] See Bucher, supra note 34, at 167.

[79] Id.

[80] FCD 107 Ia 280; FCD 95 II 492 et seq.

[81] FCD 113 Ia 320.

[82] FCD 119 II 101; FCD 111 II 214.

[83] Decision of the Court of Appeal of Zurich, in: Zurich's Judicial Papers, (Blätter für zürcherische Rectsprechung, ZR), 1983 # 46, 120.

[84] See supra at Paragraph II/2.3.1.(Protection of Honor and Dignity) and at Paragraph II/2.3.2.(Protection of Privacy).

[85] See Bucher, supra note 34, at 169.

[86] See list of permissible data processing in Article 13 Section 2 DPA.

[87] Article 12 Section 2 Letter a DPA.

[88] Article 12 Section 2 Letter c DPA.

[89] Article 12 Section 2 Letter e DPA.

[90] Article 12 Section 2 Letter b DPA.

[91] Article 12 Section 2 Letter f DPA.

[92] See Bucher, supra note 34, at 171-173.

[93] Article 254 Number 2 CC, FCD 112 Ia 248 et seq.

[94] See supra note 25.

[95] See Bucher, supra note 34, at 174-175.

[96] FCD 95 II 500; FCD 97 II 107.

[97] Tuor & Schnyder, supra note 23, at 89.

[98] See Bucher, supra note 34, at 178; see also Article 15 Section 1 DPA.

[99] For more details about the international character of this issue: see infra Paragraph II/5 (Applicable Law).

[100] FCD 95 II 499; FCD 101 II 189 et seq.

[101] See Bucher, supra note 34, at 179.

[102] Id, at 180.

[103] FCD 112 II 131 et seq.; FCD 117 II 60 et seq.

[104] Federal Private International Law Act (PILA), dated December 18, 1987, (Bundesgesetz über das Internationale Privatrecht vom 18. Dezember 1987, IPRG, SR 291). For an English Translation of the PILA, see for example, Karrer Arnold & Patocchi, Switzerland's Private International Law, Deventer 1994. All the translations cited in this artisne !re based on their wording.

[105] Article 2 PILA.

[106] Arti