Recently I wrote an article about SRF and the data protection there.
In the course of this article, I formulated 13 questions to SRF, and the answers arrived towards the end of last week.
Below are the questions and the answers from SRF. Afterwards, I will give my thoughts on the answers.
1. Manipulative cookie banner: Why was the cookie banner designed in such a way that it directs users in a certain direction instead of offering them a clear and simple choice between consent and rejection? Don't you think that a more transparent approach would strengthen user trust?
First of all, we would like to state that a cookie banner is still not mandatory for access from Switzerland. A corresponding information and the possibility of an "opt-out" (Art. 45c FMG) is sufficient. However, in a cookie banner, all data processing in connection with the use of our online offer can be made visible at a glance and managed individually. That is why we have decided on a cookie banner. In the cookie banner, we provide transparent information about the use of cookies and similar technologies and offer the option of accepting "only necessary" under "Manage individually". In addition, you can manage your settings yourself at any time under "Data protection settings" (in the footer of the websites).
2. AI systems: Which AI systems do you use exactly? Are they in-house developments or do you use third-party systems? If so, which ones?
We have been using AI-supported applications in the area of speech-to-text for several years, i.e. for the transcription of spoken words. These are usually standard software products. The speech-to-text tool for Swiss German dialects used by SRF was developed by a Swiss provider in cooperation with SRF. Furthermore, the well-known search engines are used in research, which also have AI components in the background. In-house developments, on the other hand, are a so-called "Jass card counter", which supports the editorial team during TV broadcasts, as well as a tool that can "read" the score from the scoreboard in team sports. Specialized, self-developed AI applications can also be found in the archive environment, where pattern recognition plays a major role in certain use cases, for example in the audio sector. For some time now, there have been internal experiments with products from the field of generative AI. As soon as the use of AI goes beyond the pure experimental stage and significantly affects the journalistic offer, SRF informs the public, cf. https://www.persoenlich.com/gesellschaft/srf-arbeitet-mit-ki-an-einer-serie.
3. Responsibility for AI decisions: Who takes responsibility if the AI you use makes wrong decisions or misuses data? How can users challenge such decisions?
We do not use AI without human control and do not leave decisions concerning people to AI-supported systems.
4. Data transparency: Can you specify which personal data is transmitted to countries such as the USA, Australia and India? Which companies or institutions in these countries have access to it?
SRF can also use processors in third countries. A risk assessment of the intended disclosure is carried out in advance and the standard contractual clauses of the EU Commission recognized by the FDPIC with the corresponding adjustments to Swiss law are concluded. We cannot provide any information about the specific personal data that is specifically disclosed to these processors. Which personal data we process can be found in our data protection declaration.
5. Data access: Who within SRF and at your partners has access to the collected data?
Access is granted to those SRF employees and processors of SRF who process the corresponding data. For example, employees of the Audience department have access to the data collected by the SRF UDP (platform for analyzing the usage behavior of websites and apps).
6. Purpose of app data collection: For what specific purpose do you need detailed technical information such as IMEI, IMSI and MAC address from users of your apps?
This information is not collected by SRF, but can be collected by the operating system. Therefore, we inform about this data processing in the data protection declaration. Due to your request, we have discussed this information internally and have come to the conclusion that the passage can be misunderstood. We will therefore adapt our data protection declaration accordingly.
7. Necessity of data: How do these specific data (IMEI, IMSI, MAC address, etc.) contribute to the functionality or improvement of the app? Are they essential for the operation of the app?
Cf. answer 6.
8. Location data: Is location data also collected by collecting IMSI and IMEI? If so, how is it used?
As mentioned, IMEI and IMSI are not collected by SRF. Which services collect location data when using our online offer and for what purposes they process it is listed in the cookie banner. For example, the geolocation is collected by Usercentrics so that the correct cookie banner is displayed to the users (a different cookie banner is displayed for access from Switzerland than for access from outside Switzerland).
9. Transparency and education: How do you inform your app users about the type of data collected and its use? Is there an easy way for users to request a complete list of the data collected by the app?
The cookie banner lists for each service which data is processed by this service and for what purpose.
10. Use of third-party SDKs: Do your apps use software development kits (SDKs) from third-party providers that may also have access to this technical data?
Yes, the third-party providers and their data processing are informed in the cookie banner.
11. Opt-out option: Is there a way for users to refuse or opt-out of certain data collections or transfers without having to completely avoid SRF's services?
Non-necessary cookies and similar technologies can be rejected via the cookie banner or the "data protection settings". In addition, cookies can be completely or partially deactivated and deleted in the browser settings at any time.
12. Data minimization: In view of data economy, a basic principle of data protection: Why do you collect more data than is obviously necessary for the function of your services? Have you considered measures for data minimization?
We generally only process as much personal data as we need to fulfill our mandate under the RTVG and the concession. Personal data that is no longer required is deleted or anonymized.
13. Clarity about third parties: Can you provide a list of the third-party providers with whom you work, especially those who have access to user data?
The cookie banner lists the third-party providers who process user data from website visitors or app users.
My thoughts on the answers
Basically, I would like to thank the SRF data protection team at this point, as they answered all my questions without any problems (without having to follow up again).
At first glance, this sounds self-evident, but I can report from my own experience that this is not self-evident and that, for example, with a cantonal website - despite several e-mails - I only received an answer when I involved the cantonal data protection officer there.
First, I would like to address the answer to the first question. The cookie banner. SRF is absolutely right that Swiss data protection law does not require cookie banners. This is also the reason why there is no such banner on this blog.
Unfortunately, they did not address the accusation of the "dark pattern". Just because a cookie banner is not required by law, there is no technical reason why there is no "reject all" or "only allow technically necessary cookies" button.
Anyone who wants to reject everything has to go into the details and can only reject cookies there. This does not violate any law, but it is user-unfriendly and encourages users to accept everything. And I still think that this procedure is not a nice solution for a publicly financed media company.
Nevertheless, SRF shows a strong commitment to transparency and user orientation through its answers. Despite the fact that the Swiss regulations do not require a cookie banner, SRF has nevertheless decided to use one. This procedure serves to fully inform users and at the same time offer them control options over their data.
On the subject of artificial intelligence (AI), it becomes clear that SRF not only relies on standard AI products, but also on in-house developments. In doing so, it sometimes cooperates with Swiss partners. Particularly noteworthy is SRF's promise to inform the public about any AI use that goes beyond the test stage.
It would be exciting here if these AI in-house developments were available as free software.
With regard to responsibility for AI decisions, SRF clearly emphasizes that AI systems are not used without human control. The company seems to be aware of the potential risks and ensures that human intervention is possible at all times.
Another important point is the question of data transfers to third countries. SRF states that it carries out risk assessments and adapts standard contractual clauses in accordance with the EU Commission before passing on data to third-country processors. However, the answers could be more detailed, especially with regard to the exact data flow to third-party providers.
With regard to app data collection and specific technical data, SRF emphasizes that it does not collect certain information such as IMEI and IMSI, but that this could be collected by the operating system. It is noteworthy that they are considering changes to their privacy policy based on feedback, which indicates a proactive attitude towards data protection concerns.
Finally, it becomes clear that SRF pursues the data protection principle of data economy and concentrates on collecting only the really necessary data in order to fulfill its legal and concessionary tasks.
In summary, SRF presents itself as a company that takes data protection seriously, is aware of its responsibility in dealing with AI and strives to improve certain points such as the dark pattern in the cookie banner or the data flow to third-party providers in the future.