Liechtenstein

Overview

The Principality of Liechtenstein is a constitutional hereditary monarchy of approximately 40,000 people and 160 km², nestled between Switzerland and Austria. Despite its size, Liechtenstein is one of the world’s wealthiest countries per capita, with a financial services sector that has historically accounted for a significant share of GDP. The principality is a member of the European Economic Area (EEA) and EFTA, but is not a member of the European Union. It maintains a customs union with Switzerland, uses the Swiss franc, and integrates deeply with Swiss infrastructure across telecommunications, defense, and law enforcement.^[1]

The Constitution of 1921 (revised 2003) provides limited privacy protections: Article 32 guarantees the inviolability of the home and the secrecy of letters and written communications, but there is no express constitutional right to data protection. A distinctive feature of Liechtenstein’s governance is the Prince’s veto power — all legislation enacted by the elected Parliament (Landtag) requires the concurrence of the reigning Prince, who may veto any law at his discretion. This includes data protection legislation.^[2][3]

The GDPR applies to Liechtenstein through the EEA Agreement, having been incorporated on July 6, 2018 and applicable from July 20, 2018. Liechtenstein is not a member of any signals intelligence alliance and has no intelligence service and no military (abolished in 1868). Its police force numbers approximately 130 staff. The principality’s privacy landscape is defined less by surveillance concerns than by the tension between its historical role as a banking secrecy jurisdiction — dramatically exposed by the 2008 LGT Bank scandal involving the princely family’s own bank — and its modern obligations under European data protection law.^[4]

Data Protection Authority: DSS

Structure and Mandate

The Datenschutzstelle (DSS) — the State Data Protection Inspectorate — is Liechtenstein’s national supervisory authority for data protection, headquartered in Vaduz. The DSS enforces the GDPR and the national Data Protection Act (DSG), supervises both public and private sector data processing, and handles freedom of information oversight.^[5]

As an EEA supervisory authority, the DSS participates in the European Data Protection Board (EDPB) mechanisms, including the consistency mechanism and mutual assistance framework. However, unlike EU member state DPAs, disputes involving the DSS fall under EFTA Court jurisdiction rather than the Court of Justice of the European Union.^[6]

Enforcement Powers

The DSS has the full range of GDPR enforcement powers: investigative powers (audits, information demands), corrective powers (warnings, reprimands, processing bans), and the authority to impose administrative fines of up to CHF 11 million or 2% of global annual turnover for lesser violations, and up to CHF 22 million or 4% of global annual turnover for more serious violations (whichever is higher in each case).^[7]

Enforcement Record

Despite possessing these substantial powers, the DSS has imposed no significant GDPR fines since the regulation became applicable in 2018. This makes it one of the least active DPAs in the entire EEA. Whether this reflects a genuinely compliant data processing landscape in a country of 40,000 people, resource constraints inherent to a microstate supervisory authority, or a cultural reluctance to impose penalties in a small jurisdiction where regulators and regulated entities inevitably know each other, the result is that GDPR enforcement in Liechtenstein exists primarily on paper.^[8][9]

Key Legislation

Data Protection Act (Datenschutzgesetz – DSG)

Liechtenstein’s Data Protection Act was adopted on October 4, 2018 and entered into force on January 1, 2019, implementing the GDPR into national law. The DSG does not contain major derogations from the GDPR — data subject rights, legal bases for processing, controller/processor obligations, and cross-border transfer mechanisms largely mirror the EU regulation. The DSG supplements the GDPR with national specifications on criminal penalties, the DSS’s mandate, and sector-specific provisions.^[7][10]

Telecommunications Act

Governs electronic communications, including data retention obligations for telecommunications providers and the framework for lawful interception. Liechtenstein’s telecommunications sector is closely integrated with Switzerland, with spectrum allocations harmonized to facilitate cross-border roaming.^[11]

Cyber-Security Act (CSG)

Originally enacted to implement the first NIS Directive, the CSG was comprehensively amended in early 2025 to transpose the NIS2 Directive. Liechtenstein was among the first EEA states to complete NIS2 transposition, with the amended Act scoping in approximately 1,800–2,200 entities. Registration became mandatory through an official portal on February 1, 2025, with existing NIS-1 entities required to re-register by March 31, 2025. Organizational controls must be in place by February 1, 2026, with full technical compliance to follow and audits planned from 2027.^[12]

Banking Secrecy and Financial Privacy

Liechtenstein’s privacy story cannot be understood without its financial services history. For decades, the principality was one of Europe’s most prominent banking secrecy jurisdictions, with trust structures (Stiftungen and Anstalten) that allowed beneficial owners to shield assets and income from tax authorities in their home countries. The financial sector grew to manage assets vastly disproportionate to the country’s size.

The 2008 LGT Bank Scandal

The defining event in Liechtenstein’s financial privacy history was the 2008 Liechtenstein tax affair. LGT Bank — owned by the reigning House of Liechtenstein (the princely family) — became the center of the largest tax evasion investigation ever initiated in Germany when a former employee of a Liechtenstein trust company provided German intelligence (BND) with data on approximately 1,400 account holders. Germany reportedly paid EUR 4.2 million for the stolen data.^[13]

The revelations triggered investigations in the United States, the United Kingdom, Australia, France, Italy, and other countries. The US Department of Justice reached a $23.8 million settlement with LGT’s affiliate for facilitating tax evasion by US clients through undisclosed accounts held in the names of Liechtenstein foundations to conceal beneficial ownership. The investigation revealed that LGT had employed practices specifically designed to help clients evade tax obligations, including maintaining accounts not disclosed to US tax authorities.^[14]

In 2007, the OECD’s Financial Action Task Force (FATF) had identified Liechtenstein alongside Andorra and Monaco as among the last remaining uncooperative tax havens. The LGT scandal accelerated Liechtenstein’s transformation.^[15]

Reforms and Compliance

Under intense international pressure, Liechtenstein undertook comprehensive reforms to shed its tax haven reputation:

• Adopted the OECD standard for tax transparency and signed Tax Information Exchange Agreements (TIEAs) with dozens of countries
• Implemented the Common Reporting Standard (CRS) for automatic exchange of financial account information with over 100 jurisdictions
• Signed intergovernmental agreements for FATCA compliance with the United States
• Strengthened anti-money laundering (AML) legislation, with the FMA (Financial Market Authority) assuming comprehensive supervisory powers
• The Liechtenstein government paid a EUR 50 million fine to the German treasury

The result is a jurisdiction that has moved from active banking secrecy facilitation to international compliance — though the structural capacity for financial opacity through trust and foundation law remains, now subject to transparency obligations that would have been unthinkable before 2008.^[16]

The TVTG (Token and Trusted Technology Act)

On October 3, 2019, the Liechtenstein Parliament unanimously passed the Token and Trusted Technology Service Provider Act (TVTG), commonly known as the Blockchain Act, which entered into force on January 1, 2020. This made Liechtenstein one of the first countries in the world to adopt comprehensive legislation specifically governing blockchain and crypto-asset services.^[17][18]

The TVTG established a technology-neutral framework covering token issuance, custody, exchange, and other services on “trustworthy technology” systems. Service providers must register with the FMA through the TT Service Provider Register. Token issuers handling CHF 5 million or more within 12 months require registration regardless of whether they operate professionally. The law aims to balance innovation with investor protection and AML compliance.^[19]

Liechtenstein is now implementing the EU’s Markets in Crypto-Assets Regulation (MiCA) through the EWR-MiCAR-Durchführungsgesetz, which entered the legislative process in late 2024. The FMA operates a dedicated FinTech competence centre and has cultivated a reputation for constructive engagement with crypto and fintech startups during licensing.^[20]

From a privacy perspective, the TVTG creates tensions with GDPR principles: blockchain’s immutability conflicts with the right to erasure, and public ledger transparency conflicts with data minimization. The DSS has not published specific guidance on resolving these conflicts.

Police and Security

Liechtenstein has no intelligence service and no military (the army was abolished in 1868 after the Austro-Prussian War). All security functions are handled by the Landespolizei (National Police), which employs approximately 130 staff with over 80 serving as police officers.^[21]

Structure

The Landespolizei is organized into three divisions: Security and Traffic Control (including a Border Unit, Riot Police, and Protection Unit), Criminal Investigation (including a Crime Intelligence Unit and Financial Crime Unit), and administration. The border surveillance system includes over 60 cameras costing approximately $2.3 million.^[22]

International Cooperation

Liechtenstein relies on international cooperation for capabilities it cannot maintain domestically. A Trilateral Agreement on Cross-Border Police Cooperation with Switzerland and Austria (signed June 4, 2012) enables mixed patrols, information exchange on criminal phenomena, coordinated manhunts, and cross-border hot pursuit. The Landespolizei also cooperates with Europol and Interpol.^[22]

For intelligence matters, Liechtenstein effectively relies on the Swiss Nachrichtendienst des Bundes (NDB). The customs union, shared currency, and integrated telecommunications infrastructure mean that Swiss security services have significant visibility into Liechtenstein’s threat environment. This dependency means that Liechtenstein’s security posture — including any intelligence collection affecting persons in Liechtenstein — is shaped by Swiss national security priorities and Swiss surveillance law rather than by Liechtenstein’s own minimal domestic framework.

Surveillance Powers for Foreign Targets

Liechtenstein’s lack of an intelligence service means it conducts no independent foreign intelligence collection. However, this does not mean persons in or communicating with Liechtenstein are free from foreign surveillance. The GDPR’s national security exemption (Article 2(2)) applies, and while Liechtenstein itself has minimal capability to exploit it, its dependency on Swiss infrastructure means that Swiss intelligence law effectively governs the surveillance exposure of anyone whose communications transit through Swiss networks — which, for Liechtenstein, means virtually all communications.

Surveillance Exposure and Telecommunications

Liechtenstein’s telecommunications infrastructure is fully integrated with Switzerland. The automatic telephone system connects to Swiss networks via cable and microwave relay. International internet traffic transits through Swiss networks and exchanges. Spectrum allocations are harmonized with Swiss authorities to facilitate seamless cross-border roaming. The Liechtenstein Internet Exchange (LI-IX) keeps some domestic traffic within the country, but most international peering occurs through partner exchanges in Switzerland.^[11][23]

Liechtenstein has achieved 99% fiber-to-the-home (FTTH) coverage, exceeding both Switzerland and Austria. The country does not require a designated universal service provider because universal broadband coverage is achieved through market forces alone.^[23]

Swiss Surveillance Infrastructure

The critical privacy implication of this telecommunications dependency is that Liechtenstein’s communications are subject to Swiss surveillance infrastructure. The Swiss BÜPF (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs) — the Federal Act on the Surveillance of Post and Telecommunications — authorizes lawful interception of communications transiting Swiss networks. The Swiss NDB (Nachrichtendienst des Bundes) conducts signals intelligence under the Intelligence Service Act (NDG), including cable reconnaissance programs that can capture cross-border communications at Swiss internet exchange points and cable landing stations.

For traffic routed beyond Switzerland to the broader European internet, Liechtenstein’s communications face additional interception exposure through Germany (BND cable monitoring under the BND Act) and potentially Austria (Heeresnachrichtenamt/HNA). Liechtenstein has no independent capability to monitor, regulate, or even detect such interception. The result is that a country with no intelligence service and strong formal privacy protections under the GDPR has its entire communications infrastructure running through networks operated by nations with active signals intelligence programs.

International Data Sharing

EEA Framework

As an EEA member, Liechtenstein benefits from automatic GDPR adequacy for data transfers within the EEA. Cross-border transfers to third countries follow GDPR Chapter V mechanisms (adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules). The DSS participates in EDPB consistency mechanisms, though enforcement disputes are resolved by the EFTA Court rather than the CJEU.^[6]

Swiss Customs Union

The 1923 customs union with Switzerland creates extensive data sharing between the two countries for customs, taxation, and regulatory purposes. Swiss authorities process Liechtenstein customs data, and the integrated financial regulatory framework requires information exchange between the FMA and Swiss FINMA.^[1]

Tax Information Exchange

Following the 2008 reforms, Liechtenstein participates in the OECD Common Reporting Standard (CRS) for automatic exchange of financial account information with over 100 jurisdictions. It has signed numerous bilateral Tax Information Exchange Agreements (TIEAs) and intergovernmental agreements for US FATCA compliance. This represents the most significant international data sharing regime affecting Liechtenstein — the financial transparency obligations that replaced its former banking secrecy regime now generate continuous cross-border flows of personal financial data.^[16]

Law Enforcement Cooperation

Liechtenstein cooperates with Europol and Interpol and participates in the Schengen Information System. The trilateral police agreement with Switzerland and Austria enables operational intelligence sharing and coordinated law enforcement activities. For mutual legal assistance in criminal matters, Liechtenstein generally operates through Swiss channels given its integrated legal and institutional infrastructure.^[22]

Data Retention

Liechtenstein’s Telecommunications Act requires providers to retain communications metadata for law enforcement purposes. Given the country’s small size and the integration of its telecommunications infrastructure with Switzerland, the practical scope of domestic data retention is limited. Access to retained data requires judicial authorization.

As an EEA state, Liechtenstein is bound by the CJEU’s data retention jurisprudence as incorporated into the EEA Agreement, though enforcement of these principles falls to the EFTA Court. The EFTA Court has generally followed CJEU case law on fundamental rights questions, meaning the restrictions established in cases like Digital Rights Ireland, Tele2/Watson, and La Quadrature du Net apply in principle to Liechtenstein’s data retention framework.

Recent Developments

NIS2 Transposition (Early 2025): Liechtenstein completed transposition of the NIS2 Directive through amendments to the Cyber-Security Act (CSG), making it one of the first EEA states to do so. The amended Act covers approximately 1,800–2,200 entities. Registration opened February 1, 2025, with organizational controls required by February 1, 2026 and audits planned from 2027.^[12]

Banking Act Reform (February 2025): A comprehensive reform of the Banking Act entered into force on February 1, 2025, introducing a clear separation between banking and investment firm supervision and aligning the framework with EEA legal principles. The reform modernizes the regulatory environment for Liechtenstein’s financial sector.^[20]

MiCA Implementation: The EWR-MiCAR-Durchführungsgesetz, implementing the EU’s Markets in Crypto-Assets Regulation via the EEA Agreement, entered the legislative process in late 2024 with expected entry into force in early 2025, supplementing the existing TVTG framework.^[20]

AMLA Coordination (July 2025): With the EU Anti-Money Laundering Authority (AMLA) becoming operational in July 2025, the FMA must coordinate closely with the new centralized AML supervisor, particularly given Liechtenstein’s historically sensitive position on financial secrecy.^[20]

FTTH Coverage: Liechtenstein achieved 99% fiber-to-the-home broadband coverage, the highest rate in the DACH region (Germany, Austria, Switzerland), without requiring universal service obligations.^[23]

DSS Enforcement: As of February 2026, the Datenschutzstelle has still not imposed significant GDPR fines, maintaining its position as one of the least active DPAs in the EEA.^[8]

Sources