SWITZERLAND: An Introduction to TMT

Switzerland TMT 2022 

by Lena Götzinger, Jürg Schneider, David Vasella

1. Overview 

As a market intertwined with the EU, Switzerland follows developments in the EU’s regulatory landscape closely, while generally keeping a pragmatic and liberal approach to regulation. For example, the Swiss regulator has to date neither taken a stance on the EU’s proposal for a regulation on artificial intelligence nor on non-personal data (the EU Data Act).

Moreover, Swiss supervisory authorities have given welcome guidance in the past year on how to interpret existing provisions against the quickly changing digital environment.

2. Outsourcing and Cybersecurity 

Outsourcing and cybersecurity have been and remain hot topics in the Swiss administrative, business and regulatory landscape.

Both topics have received increased attention from the Swiss government, which in the past year held a tender for public cloud services to provide administrative services faster. In doing so, the Swiss government follows its national cloud strategy that was adopted in 2020. We generally observe an increase of IT-related public tenders not only on a national governmental level but also by the administration on a cantonal and municipal level. Interested businesses may find information on invitations to tender at www.simap.ch.

Regarding outsourcing in the private sector, businesses seek to have increased control of the data and information shared with the outsourcing provider by implementing appropriate contractual safeguards and data security practices. This is particularly true for businesses navigating regulated markets such as the banking and insurance sector. For example, professional secrecy provisions may set certain specific requirements for outsourcing. For the Swiss banking and insurance sector, the Outsourcing Circular 2018/3 by the Swiss Financial Market Supervisory Authority (FINMA) places certain requirements on outsourcing tasks to third-party providers (including, without limitation, by requiring proper audit and supervision rights).

Data Breaches and Cyber-Attacks – New Notification Rules

Most importantly, the revised Swiss Federal Data Protection Act (revFDPA) introduces a duty of controllers of personal data to report data breaches where it is likely they will result in a high risk to the personality rights or the fundamental rights of the data subjects. Data breaches need to be reported to the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), the federal Swiss data protection authority and the data subjects if no exception applies.

Moreover, FINMA recently published a guidance on the duty of supervised entities to report successful or partially successful cyber-attacks of substantial importance (Article 29 (2) FINMASA) (Cyber Attack Guideline).

Cyber-attacks are deemed to be of substantial importance if they affect (i) the functioning of the financial market and (ii) the protection of creditors, investors or the insured. This may particularly happen when critical products/services (e.g. payment transactions, administration of insurance contracts, stock exchange trading) or critical infrastructure (e.g. power supply) are attacked. Such attacks need to be reported to FINMA within 24 hours after the supervised entity has been made aware of the attack and has conducted an initial assessment of its criticality. In certain cases, a closing root cause analysis report and proof of an effective crisis management need to be submitted to FINMA.

3. Personal Data Protection 

Switzerland is a member of neither the EU nor the EEA but is considered to provide for an adequate data protection regime under the GDPR. The adequacy finding is soon due for re-confirmation by the European Commission, but most agree that the (rev)FDPA conforms to the GDPR’s adequacy standards.

The revFDPA and the Swiss Federal Data Protection Ordinance (revFDPO, which will further specify the revFDPA provisions but is still in the drafting process) are expected to enter into force on 1 September 2023. The revFDPA introduces new documentation obligations, inter alia on processors and controllers to maintain a record of processing activities. Moreover, the enforcement powers of the FDPIC have been strengthened and sanctions increased. Individuals may be punished with a criminal fine of up to CHF250,000 if they intentionally breach certain data protection provisions. However, companies can now also be criminally fined up to CHF50,000 if an investigation to determine the punishable individual within the company or organisation would entail disproportionate efforts.

Furthermore, the adoption of the new Standard Contractual Clauses by the EU Commission (the “EU SCC”) keeps businesses busy. In principle, the FDPIC recognises the new EU SCC subject to certain modifications and additions being made in order to comply with Swiss data protection law. The FDPIC has published a detailed guidance thereon.

4. Access to Non-Personal Data 

Although the focus of the regulator has been mostly on personal data, the potential of non-personal data (for example, trade data from the financial sector or data generated by machine tools) received increased attention in the past year. This follows mainly from (i) the publication of two studies commissioned by the Swiss Federal Council on ownership, control and use of non-personal data on the one hand and access to non-personal data in the private sector on the other hand; and (ii) the fact that the revFDPA will no longer protect data relating to legal entities.

Swiss law does not provide for an ownership right to non-personal data and there is no legal act dedicated to non-personal data. However, such data may be governed by other legal concepts, such as criminal law or unfair competition law prohibiting the non-authorised use of trade secrets or intellectual property law. The Swiss Federal Institute of Intellectual Property (IPI) has in its report on non-personal data found this legal framework to be sufficient.

Instead, the IPI has recommended to the Federal Council to promote complementary support measures (e.g. model contracts, fact sheets or sector-specific best practices) to improve legal certainty and reduce transaction costs. So far, the IPI has published template agreements on the transfer, subscription to and exchange of non-personal data. Model contracts for small and medium-sized enterprises will follow.

In addition, a report and policy recommendations on the concepts of “open data” and “shared data” by the Federal Office of Communications and the Directorate for International Law are expected to be published soon. It remains to be seen if the Federal Council will follow the pragmatic approach proposed by the IPI. It is possible that the recent legislative developments in the EU (in particular the EU Data Act on non-personal data) will fuel aspirations towards a Swiss “Non-Personal Data Law”.

5. Artificial Intelligence 

The Swiss Federal Council decided in the middle of last year to establish an “excellence network on artificial intelligence” to share artificial intelligence (AI) expertise and establish contacts with experts. Its work will be guided by the “Guidance on Artificial Intelligence” published by the Federal Council in 2020 and the corresponding principles and recommendations of the OECD.

To date, there are no proposed bills on the use of AI. However, the “Digital Society”, a Swiss non-profit organisation, has recently published a position paper on the regulation of automised decision-making systems. The proposed regulatory framework follows a damage and risk approach. Systems with an “unacceptable” risk are thereafter to be prohibited entirely, whereas systems with a “high” risk are subject to increased transparency and care obligations. In this regard, the framework seems to be inspired by the proposal for an EU regulation on artificial intelligence. It remains to be seen whether the position paper is successful in starting regulatory discussions.

6. Regulatory aspects on the horizon 

Within the TMT sector, the following regulatory aspects on the horizon should especially be closely followed by companies:

– “Lex Netflix”: On 1 October 2021, the Swiss Parliament passed an amendment to the Film Act which, among other things, will oblige streaming providers to invest 4% of their revenue generated in Switzerland into Swiss film productions. Since a referendum was taken against this amendment, the bill will be put to the vote on 15 May 2022.

– Critical infrastructure: Operators of critical infrastructure are to report cyber-attacks to the National Cyber Security Centre NCSC to gain a better overview of cyber-attacks in Switzerland and provide support. The bill is currently under public consultation.

– Telecommunication: A revision of the Telecommunications Ordinance will enact provisions on the reporting of faults, prevention of unauthorised manipulation of telecommunications equipment and the operation of fifth generation mobile radio networks (5G). The bill is currently under public consultation.