Under Swiss law, there are no rules specifically applicable to cloud computing. There are, in particular, no regulations prohibiting, restricting or otherwise governing cloud computing. The Swiss legislature strives to keep laws technology-neutral, thus general rules (including as regards data protection) apply to cloud computing.
Personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity. The use of cloud services may qualify as an outsourced processing service and, in cases where the servers of the cloud are located outside Switzerland and the personal data is not fully encrypted during transfer and storage, as an international transfer of personal data (see 6 Key Data Protection Principles). The Federal Data Protection and Information Commissioner (FDPIC) has issued a non-binding guideline setting out the general risks and data protection requirements with respect to the use of cloud services.
The Federal Act on the Surveillance of Mail and Telecommunication Traffic of 18 March 2016, as amended (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs, BÜPF), applies to providers of derived communication services, which includes cloud service providers. Where telecommunication services are involved in criminal investigations, service providers are obliged to tolerate surveillance measures and to provide access to their data processing systems upon order by competent authorities. Specific rules may apply in regulated markets, such as the banking sector (eg, Circular 2018/3 relating to outsourcing, issued by the Swiss Financial Market Supervisory Authority (FINMA), which applies to banks, insurers and securities firms organised under Swiss law, including Swiss branches of foreign banks, insurers and securities firms subject to FINMA supervision).
In the event a customer of a cloud services provider is subject to compliance requirements as set out above or respective contractual obligations towards a third party, applicable obligations have to be set out in writing in the contracts with the cloud services provider. This applies, in particular, to compliance with data protection regulations as imposed on the customers of cloud services providers.
In Switzerland, there is no specific regulation in relation to distributed ledger technology (DLT) or blockchain. The Swiss legislature strives to keep laws technology-neutral, thus the general rules apply, including as regards risks, liability, intellectual property, anti-money laundering and data privacy.
As regards the application of the existing regulations on initial coin offerings (ICOs), FINMA published corresponding guidelines on 16 February 2018. Generally, FINMA focuses on the economic function and purpose of the tokens, as well as whether they are tradeable or transferable, in order to classify the tokens broadly into three "archetypes" – ie, payment tokens (which include cryptocurrencies), utility tokens and asset tokens. The classification of the individual token impacts the applicable legal and regulatory framework – ie, tokens do not constitute a separate regulatory category. Since then, FINMA has issued further guidelines on money laundering on the blockchain and, most recently, also on stable coins.
Switzerland has a suitable, proven and balanced legal framework; hence, only limited and targeted adjustments as regards DLT/blockchain applications are currently contemplated. While the Swiss legislature is aware that the possibilities offered by DLT/blockchain go far beyond their application to alternative financing, there is a legislative focus on the financial sector.
In December 2018, the Swiss Federal Council published a report on the legal framework for blockchain and DLT in the financial sector, which noted that the Swiss legal framework is, in principle, well suited to deal with new technologies.
In September 2020, Parliament adopted the Federal Act on the Adaption of Federal Law to Developments in Distributed Ledger Technology (DLT Act), which will adapt various federal laws in order for Switzerland to continue to develop as a leading, innovative and sustainable location for blockchain and DLT activity.
The amendments include:
Overall, these legislative amendments are expected to increase market access to fintech companies working in the field of DLT/blockchain technologies by improving legal certainty and removing certain regulatory barriers. The provisions enabling the introduction of uncertificated register securities that are represented on a blockchain will enter into force on 1 February 2021. The remaining provisions of the DLT Act will most probably enter into force on 1 August 2021.
Transactions in cryptocurrencies may be carried out on an anonymous basis and related money laundering risks are accentuated by the speed and mobility of the transactions made possible by the underlying technology. The Know Your Customer (KYC) principle is the cornerstone of the anti-money laundering (AML) and combating the financing of terrorism (CFT) due diligence requirements that are generally imposed on financial institutions where AML/CFT legislation is aligned with international standards. KYC requires that financial institutions duly identify (and verify) their contracting parties (ie, customers) and the beneﬁcial owners (when their contracting parties are not natural persons) of such assets as well as their origin. Together with transaction monitoring, KYC ensures the traceability of assets (ie, paper trail) and allows the identification of money laundering and financing of terrorism indicia.
With respect to DLT/blockchain applications, one of the challenges is that KYC and other AML/CFT requirements are designed for a centralised intermediated financial system, in which regulatory requirements and sanctions can be imposed by each jurisdiction at the level of the financial intermediaries operating on its territory (ie, acting as gatekeepers). By contrast, virtual currency payment products and services rely on a set of decentralised, cross-border, virtual protocols and infrastructure elements, neither of which has a sufficient degree of control over, or access to, the underlying value (asset) and/or information, meaning that that identifying a touch-point for implementing and enforcing compliance with AML/CFT requirements is challenging.
Swiss AML legislation does not provide for a deﬁnition of virtual currencies. However, since the revision of the FINMA AML Ordinance in 2015, exchange activities in relation to virtual currencies, such as money transmitting (ie, money transmission with a conversion of virtual currencies between two parties), are clearly subject to general AML rules. Furthermore, the purchase and sale of convertible, virtual currencies on a commercial basis and the operation of trading platforms to transfer money, or convertible virtual currencies, from the users of a platform to other users are subject to Swiss AML rules.
Since DLT-trading facilities (the separate licence category proposed, by the DLT Act, to be introduced as an amendment to the Financial Market Infrastructure Act (FMIA); see above) can carry out activities that qualify as financial intermediation under the Anti-Money Laundering Act (AMLA), they are to be included in the AMLA as specifically regulated financial intermediaries.
Big data, machine learning and artificial intelligence (AI) offer new opportunities to develop social or scientific knowledge and can be the basis for further forms of value creation by companies. In general, there is no cross-sector regulation in Switzerland regarding big data, machine learning or AI. As regards the processing of personal data, the right to privacy and the protection of personal data must be safeguarded (see 6 Key Data Protection Principles). While government authorities periodically review developments as regards big data, machine learning and AI, it is acknowledged that any regulation should be technology-neutral in order to accommodate new developments within the existing legal and regulatory framework. This enables businesses located in Switzerland to make optimal use of upcoming technologies and advances and to efficiently adapt their business models and processes as required or desired.
The Federal Council has set up a federal working group on artificial intelligence under the direction of the State Secretariat for Education, Research and Innovation (SERI), which facilitates the exchange of knowledge and opinions and the co-ordination of Switzerland’s positions in international bodies. Based on a report of SERI submitted to the Federal Council outlining existing measures, an assessment of possible fields of action and considerations on the transparent and responsible use of AI, the Federal Council concluded on 13 December 2019 that Switzerland is, in general, well suited to address AI applications, business models and challenges. Thus, there is no immediate need to adapt the existing legislative framework, subject to certain specific areas (such as mobility, security policy, education and research) in which, however, a multitude of measures have already been initiated to address corresponding challenges.
The internet of things (IoT) refers to objects and devices which are connected to a network such as the internet and which use the network to communicate with each other or make information available. The connecting device may be a modem, network-attached storage (NAS), a webcam, intelligent light switches or smart TVs connected to an internal network or the internet. The Swiss regulatory framework encourages digital services – in particular, due to the technology-neutral approach of the legislator – thereby allowing for ample room for development for technology-driven business models and companies. Hence, there are generally no regulation-induced impediments to technological innovation under current law. Government authorities periodically review developments in technology and generally emphasise the importance of making use of technological progress. Considerable efforts are undertaken to further facilitate lower barriers to market entry for technology-driven business models.
As more and more intelligent devices are connected to the internet, not only has the number of communications participants involved grown but also the number of vulnerable devices that may be misused by hackers (eg, for sending spam e-mails). Such devices need to be adequately protected (eg, by using individual passwords or restricted access) and respective software has to be kept updated. Between objects and devices that communicate with each other, large amounts of information and data are typically exchanged. This may also have an impact on the protection of personal data and the general rules of data protection apply. Any data subject is protected from their personal data either being processed in a way that is not in compliance with the law or used for purposes other than those communicated or apparent to the data subject, unless the data subject consents to this processing or unless another statutory justification applies (see 6 Key Data Protection Principles).
To protect critical information and communication infrastructure in Switzerland, the Federal Council has commissioned the Reporting and Analysis Centre for Information Assurance (Melde- und Analysestelle Informationssicherung, MELANI). To prevent devices within the IoT from being misused by hackers, MELANI recommends preventive measures on its website. These measures include, among others:
Under Swiss law, there is no specific regulation in relation to IT service agreements. However, there are statutes governing the general outsourcing of services to (IT) providers in certain industries – eg, the financial industry, telecommunications and the public sector. As regards financial services, the sector-specific regulation set out below applies to the outsourcing of business areas (infrastructure or business processes).
Swiss Banking Secrecy
Article 47 of the Swiss Federal Banking Act of 8 November 1934, as amended (Banking Act), on banking secrecy, protects customer-related data from disclosure to third parties and applies to all banking institutions in Switzerland. Any disclosure of non-encrypted data to a supplier is only allowed with the express consent of each banking customer. Consent can be given under the bank’s general terms of business if they are made an integral part of the contract between the bank and its customers. The Banking Act does not prohibit the transfer of encrypted data (where the supplier cannot identify individual customers).
The FINMA Outsourcing Circular
Circular 2018/3 (Outsourcing Circular) relating to outsourcing issued on 21 September 2017 by the Swiss Financial Market Supervisory Authority (FINMA, the supervisory authority for banks, insurers, reinsurers, stock exchanges, securities firms, collective investment schemes and audit firms) applies to banks, securities firms and insurers organised under Swiss law, including Swiss branches of foreign banks, securities firms and insurers which are subject to FINMA supervision. As of 1 January 2021, the Outsourcing Circular also applies to managers of collective assets organised under Swiss law, including Swiss branches of foreign managers of collective assets and fund management companies with a registered office and a head office in Switzerland as well as to self-managed sociétés d'investissement à capital variable (SICAVs).
Before outsourcing significant business areas, these institutions must comply with the detailed measures set out in the Outsourcing Circular, including:
The customer remains responsible for the outsourced business areas, so it must ensure their proper supervision. Swiss banks, securities firms and insurers must also consider that outsourcings to independent service providers are generally considered to increase operational risks and therefore lead to additional capital requirements for them.
Essential Service Outsourcing
A financial market infrastructure subject to the FMIA and the implementing ordinance (FMIO), as amended (which includes a stock exchange, multilateral trading facility, central counterparty, central securities depository, trade repository or payment system) must obtain prior approval from FINMA if it wishes to outsource essential services such as risk management. If such an outsourcing is proposed by a financial market infrastructure the Swiss National Bank (SNB) considers to be systemically important, FINMA must consult with the SNB beforehand.
When outsourcing an essential service, the financial market infrastructure must carefully select, instruct and control the service provider; integrate the outsourced service into its internal control system; and monitor the services rendered by the service provider on an ongoing basis.
Reciprocal rights and duties must be set out in a written agreement with the service provider. If a financial market infrastructure outsources its services, it remains responsible for maintaining compliance with its duties under the FMIA. Outsourcing services to another jurisdiction also requires the application of appropriate technical and organisational measures to ensure the observance of professional confidentiality and data protection law. Contracting parties of financial market infrastructures whose data is to be sent to a service provider abroad must be informed. The financial market infrastructure, its internal audit function, the external audit firm, FINMA and (if systemically important) the SNB, must be able to inspect and review the outsourced service.
Consolidated Rules on Outsourcing
Since 1 January 2020, consolidated rules on outsourcing also apply to both financial institutions regulated by the new Financial Institutions Act (FinIA) and its implementing ordinance (FinIO), as amended and financial service providers regulated by the new Financial Services Act (FinSA) and its implementing ordinance (FinSO), as amended.
Financial institutions (which include portfolio managers, trustees, managers of collective assets, fund managers and securities firms), under the FinIA and FinIO, may only delegate tasks to third parties that have the necessary skills, knowledge, experience and authorisations to perform such tasks. The financial institution must therefore carefully instruct and supervise any such third parties. FINMA may make the delegation of investment decisions to a third party located abroad subject to an agreement on co-operation and information exchange between FINMA and the competent foreign supervisory authority (particularly if such an agreement is required under the other country's laws). If a financial institution outsources significant functions, the outsourcing service provider will be subject to information and reporting duties to, and audits by, FINMA.
The liability of financial institutions and their corporate bodies is subject to the Swiss Federal Code of Obligations (CO). If a financial institution outsources a task to a third party, it will be liable for any damage caused by the outsourcing service provider, unless it can prove that it has diligently selected, instructed and monitored the provider (special rules may apply to fund management companies).
Financial services providers (which include client advisers and producers and providers of financial instruments), under the FinSA and FinSO, may only delegate tasks to third parties that have the necessary skills, knowledge, experience and authorisations to perform such tasks. The financial services provider must therefore carefully instruct and supervise the third parties. If a secondary (sub-contracted) financial services provider is required to provide a financial service for the principal's clients, the principal financial services provider will remain liable for the completeness and accuracy of the client information; fulfilling the duties in relation to the information; the adequacy and suitability of the financial services; and documentation and accountability.
If the secondary financial services provider has reasonable grounds to suspect that the client information is incorrect or that such duties were not fulfilled by the principal financial services provider, it may provide its service only after it has ensured the completeness and accuracy of the information and compliance with the code of conduct.
Personal Data Protection
The outsourcing of services to an IT service provider may also impact the protection of personal data. Any data subject is protected from their personal data being processed in a way that is not in compliance with the law or used for purposes other than those communicated or apparent to the data subject, unless the data subject consents to this processing or unless another statutory justification applies (see 6 Key Data Protection Principles). However, personal data may be given to outsourcing suppliers based on a contract or statutory law if the customer ensures that the supplier will only process data in a way that the customer is itself entitled to, and that the supplier will comply with the applicable data security standards, and if no statutory or contractual secrecy obligations prohibit this data processing. As the customer remains liable towards the data subject for the compliant handling of personal data by the supplier, and reflecting the growing importance of data protection, there is a tendency not to apply a liability cap for breaches of data protection or other regulatory requirements in outsourcing agreements. This is particularly the case when sensitive data such as business secrets or bank customer data are involved.
Data Protection Legislation
Switzerland has dedicated data protection laws. The Federal Data Protection Act of 19 June 1992, as amended (DPA), and the Ordinance to the Federal Act on Data Protection of 14 June 1993, as amended (DPO), govern the processing of what in Switzerland is referred to as "personal data" by private parties or federal bodies. Processing of personal data by cantonal authorities (cantons are the Swiss states) is subject to separate state legislation. In addition, several other federal laws contain provisions on data protection, which further address the collection and processing of personal data, especially as regards the processing of personal data in regulated industries (such as financial markets and telecommunications).
The DPA and DPO apply to the processing of any data relating to an identified or identifiable person, irrespective of its form – ie, to personal data pertaining to natural persons (individuals) and personal data pertaining to legal entities (companies). A person is identifiable if a third party having access to the data on the person is able to identify that person with reasonable efforts. Pursuant to the DPA, "sensitive personal data" and "personality profiles" are to be considered as special categories of personal data that are subject to stricter processing conditions. Sensitive personal data is data on:
A personality profile is a collection of personal data that permits an assessment of the essential characteristics of the personality of a natural person.
As a general principle, personal information must always be processed (this includes collection and usage) lawfully. Such processing is lawful if it is either processed in compliance with the general principles set out in the DPA (including, among others, the principle that the collection of personal information and, in particular, the purpose of its processing, must be evident to the data subject at the time of collection) or, if non-compliant with these general principles, is justified (eg, by the data subject’s voluntary informed consent or by law). The disclosure of personal information to third parties is generally lawful under the same conditions.
Cross-Border Data Transfers
Personal data may only be transferred outside Switzerland if the privacy of the data subject is not seriously endangered; in particular, due to the absence of legislation that guarantees adequate protection in the jurisdiction where the recipient resides. The FDPIC has published a list of jurisdictions that provide adequate data protection. The countries of the European Economic Area and Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Monaco, New Zealand and Uruguay are generally considered to provide an adequate level of data protection as regards personal data relating to individuals (however, many do not as regards personal data relating to legal entities), while the laws of all other jurisdictions do not provide adequate data protection.
As regards the USA, the Swiss-US Privacy Shield (which replaced the US-Swiss Safe Harbour Framework in 2017), under which Swiss companies were able to transfer personal data to their US business partners without the need to procure the consent of each data subject or to put additional measures in place, was declared invalid by the FDPIC in September 2020. The FDPIC concluded that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the USA pursuant to the DPA. As a result, Swiss companies can no longer rely on the Swiss-US Privacy Shield for the transfer of personal data from Switzerland to the USA without additional safeguards or justification (see below).
In the absence of legislation that guarantees adequate protection, personal data may only be transferred outside Switzerland if, inter alia:
In practice, in order to ensure an adequate level or data protection, data transfer agreements or data transfer clauses (ie, binding corporate rules) are regularly used. It is the responsibility of the data transferor to ensure that an agreement sufficiently protecting the rights of the data subjects is concluded. The FDPIC provides a model data transfer agreement which can be accessed on its website. The model data transfer agreement is based on Swiss law and reflects, to a large extent, the standard contractual clauses of the European Commission for data transfers. The FDPIC has to be notified of the use of such agreements accordingly. Furthermore, in the case of regular processing of particularly sensitive data or personality profiles, or regular disclosure of personal data to third parties (whereby group companies qualify as third parties within the meaning of the DPA), the respective data files must be registered with the FDPIC. Such data files have to be registered prior to being established. However, there are exemptions from this registration duty; in particular, if the respective data is processed as a matter of law or in the case of a voluntary appointment of a data protection officer. A list of business organisations who have appointed a data protection officer is publicly accessible on the FDPIC’s website.
Data Protection Officers
The appointment of a data protection officer is not mandatory in Switzerland. However, the registration of data collections is not required if the owner of a data collection has appointed a data protection officer that independently monitors data protection compliance within the owner’s business organisation and maintains a list of data collections. The appointment of a data protection officer will only result in a release of the duty to register data collections if the FDPIC is notified of the appointment of a data protection officer. A list of business organisations that have appointed a data protection officer is publicly accessible on the FDPIC’s website. The data protection officer has two main duties. First, the data protection officer audits the processing of personal data within the organisation and recommends corrective measures if he or she finds that the data protection regulations have been violated. He or she must not only assess compliance of the data processing with the data protection requirements on specific occasions, but also periodically. The auditing involves an assessment of whether the processes and systems for data processing fulfil the data protection requirements, and whether these processes and systems are in fact enforced in practice. If the data protection officer takes note of a violation of data protection regulations, he or she must recommend corrective measures to the responsible persons within the organisation and advise them on how to avoid such violations in the future. The data protection officer does not, however, need to have direct instruction rights. Second, the data protection officer maintains a list of the data collections that would be subject to registration with the FDPIC. The list must be kept up to date. Unlike the data collections registered with the FDPIC, the internal data collections do not have to be maintained electronically nor must they be available online. However, they must be made available on request to the FDPIC and to data subjects.
Swiss Alignment with International Data Protection Standards
Switzerland is a member state to certain international treaties regarding data protection, such as the European Convention on Human Rights and Fundamental Freedoms and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (Convention ETS 108) and its additional protocol of 8 November 2001. Although Switzerland is not a member of the EU and, hence, has neither implemented the EU Data Protection Directive 95/46/EC nor is directly subject to the EU General Data Protection Regulation 2016/679 (GDPR), it has been officially recognised by the European Commission as providing an adequate level of protection for data transfers from the EU.
The Swiss parliament recently adopted a revision of the DPA. The revision of the DPA aligns the DPA with international rules on data protection in order to comply with the revised Convention ETS 108 and the GDPR. This will allow Switzerland to uphold its status as a country adequately protecting personal data from an EU perspective, which allows for easier transfer of personal data from the EU and the ratification of Convention ETS 108.
The revised DPA largely follows the regime provided by the GDPR with some reliefs and very limited "Swiss finishes" (ie, rules that go beyond the requirements of the GDPR – most importantly, every country to which personal data is transferred to will have to be explicitly named). It is not yet clear when the revised DPA will enter into force (as the corresponding ordinance still needs to be drafted) but it can be expected to happen in the course of 2021 or at the beginning of 2022.
The processing of employee data by an employer, and in particular the monitoring of employees, is regulated by several Swiss laws on different levels. In addition to the general provisions on data protection set out in the DPA and its implementing ordinances (see 6 Key Data Protection Principles) the processing of employee personal data is further restricted by the CO. The employer may process personal data relating to an employee only to the extent that such data concerns the employee’s suitability for his or her job or as necessary for the performance of the employment contract. In addition, pursuant to Swiss labour law, the monitoring and control of employees (such as monitoring and limiting the use of computer resources by an employer) is subject to certain further restrictions according to Article 26 of Ordinance 3 to the Swiss Federal Act on Employment in Trade and Industry of 13 March 1964, as amended. Surveillance and control systems monitoring employee behaviour in the workplace (Monitoring Systems), such as the examination or monitoring of an employee’s office desk or systems (eg, e-mails, voice mail, fax and video recording) are prohibited if monitoring the employee’s general behaviour is the sole or predominant purpose of such systems. The use of Monitoring Systems is, however, permissible where legitimate reasons apply and such use is proportionate – ie, suitable, necessary and reasonable. In general, legitimate reasons are, among others, security measures, worktime control, quality and productivity control, improvement of organisation or planning of the work as well as reasons which are inherent to the nature of the employment itself.
In Switzerland, the telecommunications sector is regulated at federal level. The main source of law is the TCA, which governs any transmission of information by means of telecommunications techniques, except for television and radio programme services. Further sources of law include the Federal Ordinance on Telecommunications Services of 9 March 2007, as amended (OTS), and the Federal Ordinance on Telecommunications Installations of 25 November 2015, as amended (TIO). As regards electronic communications equipment, Swiss requirements are largely in line with international and, particularly, European standards. The Federal Council can adopt technical regulations on telecommunications installations, particularly basic technical requirements for telecommunications, evaluation, certification or declaration of conformity. The Federal Office of Communications (OFCOM) regularly designates technical standards. Compliance with these standards fulfils the basic requirements set out by the Federal Council. The telecommunications law framework applies to telecommunications service providers (TSPs), which are providers of services qualifying as telecommunications services. The TCA defines TSPs as services transmitting information for third parties using telecommunications techniques, which include the sending or receiving of information by wire, cable or radio using electrical, magnetic, optical or other electromagnetic signals.
In the telecommunications sector there are two regulatory agencies: the Federal Communications Commission (ComCom) and OFCOM. Fixed line and mobile telephony/satellite services are regulated by the TCA and its implementing ordinances.
The latest TCA revision, which entered into force as of 1 January 2021, includes improvements in the area of consumer protection (including in relation to international roaming, open internet, unfair competition and protection of children and adolescents) and provides for deregulation and administrative simplification (including abolition of the general notification and licensing requirements). Under the revised TCA, among other things, the registration obligation for TSPs is limited to TSPs which, for the provision of telecommunications services, use:
All other TSPs, while still having to comply with the obligations of the TCA, are no longer required to register with OFCOM. ComCom awards one or more universal service licences to TSPs to ensure that universal service is guaranteed for the whole population of Switzerland in all parts of the country.
Providers of Voice over Internet Protocol (VoIP) services remain unregulated if they provide online services only, without transmitting data using telecommunications techniques. If the provider qualifies as a TSP (eg, where a VoIP customer can also be reached by way of a fixed line telephone number as part of the public switched telephone network), the TCA applies. However, ComCom does not require such VoIP providers to fulfil all the obligations the TCA imposes on regular TSPs; for example, they are under no duty to enable free carrier pre-selection (since there is no close link that needs to be broken between a network and a service operator) or the identification of the caller’s location in the case of emergency calls (which would be technically difficult to establish).
Broadcast Media Regulation
The broadcasting sector has three main authorities responsible for the granting of licences. The Federal Council is the licensing authority for the Swiss Broadcasting Corporation (SBC). With respect to other licences, licensing competence has been delegated to the Swiss Federal Department for the Environment, Transport, Energy and Communications (DETEC). OFCOM puts the licences out for tender and consults interested groups. OFCOM further fulfils all sovereign and regulatory tasks related to the telecommunications and broadcasting (radio and television) sectors. It fulfils an advisory and co-ordinating function for the public and policymakers. It also guarantees that basic services are provided in all parts of the country and throughout the population.
The Federal Media Commission (FMEC) advises the Federal Council and the Federal Administration in relation to media issues. The Federal Radio and Television Act of 24 March 2006, as amended (RTVA), provides for an Independent Complaints Authority for Radio and Television, which deals with complaints that relate to the editorial programme and rules on disputes over denied access to a programme. In Switzerland, apart from the communications sector, regulation of the media sector is also dealt with at a federal level. The broadcasting, processing and reception of radio and television programme services are regulated by the RTVA, the Federal Ordinance on Radio and Television of 9 March 2007, as amended (RTVO), and related regulation.
Broadcasters of programme services are, in principle, required to obtain a licence. Broadcasters that neither request the splitting of revenue nor guaranteed wireless terrestrial distribution may operate their service without a licence. However, such broadcasters need to notify OFCOM. Also, broadcasters of programme services of minor editorial importance (such as programme services that can only be received by fewer than 1,000 people at the same time) do not fall under the scope of the RTVA and do not need a licence or registration. If the broadcaster of a radio programme service is granted a licence under the RTVA, it is at the same time granted a licence under the TCA for use of the frequency spectrum (no separate application is needed). Cable TV operators are under a duty to broadcast, in the respective coverage area, the TV programme services of broadcasters that have been granted a licence. Licences are awarded by public tender. There are no rules specifically applicable to the operation of an online video channel (such as a YouTube channel). Since the Swiss legislature strives to keep laws technology-neutral the general rules apply to the operation of online video channels. To be awarded a licence, the applicant must be able to fulfil the mandate; possess sound financial standing; be transparent regarding its owners; guarantee compliance with employment law regulations and the working conditions of the industry, the applicable law and in particular the obligations and conditions associated with the licence; maintain a separation of editorial and economic activity; and have registered offices in Switzerland.
In general, the number of licences a broadcaster and its group companies may acquire is limited to a maximum of two television and two radio licences (does not apply to SBC). If there are several applicants for one licence, preference will be given to the candidate that best fulfils the performance mandate. Often, independent applicants (ie, those not belonging to a media corporation that already possesses other licences) are deemed to be better able to fulfil this criterion by DETEC. The fee per year for a broadcasting licence amounts to 0.5% of the gross advertising revenue that exceeds CHF500,000. Furthermore, administrative charges will incur in relation to the radio and TV licence as well as to the telecommunications licence. These charges are calculated on the basis of time spent. A reduced hourly rate applies to the granting, amending or cancelling of a licence for the broadcasting of a radio or television programme service as well as for the radio communications licence.
Financial Support for Media
On 28 August 2019, and following consultation on the preliminary draft of the Federal Act on Electronic Media (PD-FAEM), the Federal Council called for efficient and rapidly implementable measures relating to online media and newspapers. On 29 April 2020, the Federal Council submitted to parliament a package of measures to support the media. This package will provide for financial resources for online media and foresees that more daily and weekly newspapers will benefit from indirect press support. The Federal Council decided not to pursue the PD-FAEM.
In Switzerland, there is no specific regulation in relation to encryption. Technology, media and telecom providers are not directly required to use encryption technology. However, pursuant to the DPA, any information qualifying as personal data must be protected by appropriate technical and organisational measures against unauthorised processing (see 6 Key Data Protection Principles). Encryption is one such measure.
In particular, personal data must be protected against:
Hence, many providers rely on encryption technology when processing personal data. In this context, data protection law provides for the certification of products intended for the processing of personal data. Manufacturers of data processing systems or programs, as well as private persons or federal bodies that process personal data, may submit their systems, procedures and organisation (which usually encompass encryption as a means of data security) for evaluation by recognised (ie, accredited) independent certification organisations. However, the use of encryption technology does not generally exempt anyone processing personal data from compliance with general data protection rules.
Encryption and Disclosure
In civil, criminal or public procedures, authorities may compel the parties to such proceedings, or even non-involved third parties, to disclose certain information in accordance with those parties’ duties to prove or disprove disputed facts before the respective authority. This may include information that is stored in an encrypted format, in which case the party in question has to disclose the information in an unencrypted, readily accessible format. Available enforcement mechanisms depend on the type of procedure and the role the person concerned has in that procedure.
Encryption and Crime
The use of encryption systems (such as public key infrastructures) is protected by criminal law pursuant to the Federal Criminal Code of 21 December 1937, as amended (CC). Any person who obtains unauthorised access by means of data transmission equipment to a data processing system that has been specially secured to prevent his or her access is liable to imprisonment not exceeding three years or to a monetary penalty (Article 143bis para 2 CC). Similarly, with respect to computer fraud, any person who – by the incorrect, incomplete or unauthorised use of data (or in a similar way) – influences the electronic or similar processing or transmission of data and as a result causes the transfer of financial assets is liable to imprisonment not exceeding five years (not exceeding ten years in case a commercial gain is intended) or to a monetary penalty (Article 147 CC).
The Swiss government has not adopted any emergency legislation, relief programmes or other initiatives to address the COVID-19 pandemic that are specifically applicable to the TMT sector. However, even though the Swiss government decided on 18 January 2021 to temporarily close shops and markets in Switzerland to fight the spread of the COVID-19 virus, the outlets of telecommunication providers (together with grocery stores and other stores selling foodstuffs or other goods for daily needs) were allowed to remain open.
Several new laws have come into force in Switzerland in 2021, such as the Swiss Telecommunication Act (Revised TA) and its Ordinances and provisions in the Swiss Act against Unfair Competition (Revised UCA) relating to unsolicited telephone calls. Later this year, the Swiss Data Protection Act (Revised DPA) will follow. But, in addition, new regulations regarding the notification of cyber-incidents in the financial services sector and guidelines for AI will dominate the Swiss legal scene.
Revised Telecommunications Act
Telecommunications have developed at a rapid rate since the Swiss Telecommunications Act entered into force in 1997. The current partial revision takes the changed technological environment into account, enhances consumer protection, enshrines net neutrality and regulates access to the last mile of fibre-optic connections.
The definition of a telecommunications service provider (TSP) is broader under the Revised TA. The definition of a TSP now also includes over-the-top (OTT) services such as instant messaging and Voice over Internet Protocol. Anyone offering these OTT services must now fulfil the obligations of a TSP under the Revised TA and is subject to supervision by the Swiss Federal Office of Communications (OFCOM). However, the exponential growth of providers of OTT services means that they are exempt from the obligation to report to and register with OFCOM. The Revised TA imposes various new obligations on all TSPs, such as obligations to actively combat cyber-attacks or to provide information about the quality of telecommunications services.
Revised Unfair Competition Act
The provisions of the Revised UCA were amended with regard to advertising. In a nutshell the following applies as from 1 January 2021.
Revised Data Protection Legislation
On 25 September 2020, after more than two years of negotiations, the Swiss Parliament passed the revised Federal Act on Data Protection (FADP). Despite a total revision of the law, the basic principles of data processing – in particular transparency, purpose limitation, proportionality and data security – remain unchanged and apply as before. As under applicable law, data processing continues to be considered lawful if it occurs in compliance with these data processing principles and no personality rights are violated. This means that only in certain situations will justification by consent, legal basis or overriding private or public interests be necessary. Despite the alignment with the EU General Data Protection Regulation (GDPR) on many points, Switzerland still deviates from the GDPR in this respect.
Nevertheless, there are various new regulations under the revised FADP and various points which are take account of the GDPR. These include that the data of legal entities is no longer protected, information obligations of the controller have been extended and numerous data protection governance obligations have been introduced (records of processing activities, data protection impact assessments, obligation to report a data breach, optional data protection advisor, etc). Moreover, controllers with domicile/residence outside of Switzerland will, under certain conditions, need to designate a representative in Switzerland if they process the personal data of data subjects in Switzerland. Finally, the revised FADP also contains a more stringent catalogue of penalties and enhances the competences of the Federal Data Protection and Information Commissioner (FDPIC). In cases of a violation of the regulations of the revised FADP, the responsible person in a company can be personally liable for fines of up to CHF250,000.
The revised FADP is expected to come into force in 2022, but it does not generally provide for a transitional period (with a few exceptions). Therefore, companies must have taken the necessary measures by the time the revised law comes into force.
Cyber-Attacks – New Notification Rules
The Swiss Financial Market Supervisory Authority (FINMA) published the Guidance 05/2020 "Duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA" to remind all supervised institutions of their legal requirement, pursuant to Article 29, paragraph 2 of the Financial Market Supervision Act (FINMASA), to immediately report any incident that is of substantial importance to the supervision.
Immediate reporting to FINMA means that the affected supervised institution informs FINMA through the responsible account manager within 24 hours of detecting such a cyber-attack and conducting an initial assessment of its criticality. The actual report should be submitted within 72 hours via the FINMA web-based survey and application platform (EHP).
The following list contains guidance on the content of such a report to FINMA.
Artificial Intelligence – New Guidelines
As a basic technology, artificial intelligence (AI) is an essential component of ongoing digitisation. It has considerable potential for innovation and growth and is already being successfully applied in a large number of areas. The Swiss Federal Council wants to ensure the best possible framework conditions for this. At the same time, it is concerned to respond appropriately to the challenges of AI.
On the basis of the report "Challenges of artificial intelligence", it has therefore instructed the Swiss Federal Department of Economic Affairs, Education and Research (EAER) to draw up guidelines in collaboration with the Swiss Federal Department of the Environment, Transport, Energy and Communications (DETEC) and the Interdepartmental Working Group on Artificial Intelligence (IDAG AI). These provide a general orientation framework for the federal administration as well as for the holders of federal administrative responsibilities and are intended to ensure a coherent policy with regard to AI.
The orientation framework defines seven guidelines.
Specific guidelines will also be issued for the policy areas of education and science, as well as for the applicability of AI-relevant legal norms.