Switzerland

Overview

Switzerland is a non-EU member state bound by the European Convention on Human Rights and participating in the Schengen area. It is not a member of any Eyes alliance (neither Five Eyes, Nine Eyes, nor Fourteen Eyes), a position that has contributed to its reputation as a jurisdiction for privacy-oriented technology services. However, that reputation must be weighed against a more complicated history.

The Crypto AG scandal, revealed in 2020, exposed decades of secret collaboration between Swiss intelligence and the CIA through a Swiss-based encryption company that sold deliberately weakened equipment to over 120 governments. The CIA called it “the intelligence coup of the century.”^[1] Switzerland’s Intelligence Service Act (NDG) authorises cable reconnaissance (bulk interception of cross-border fibre-optic communications) and computer network exploitation, though a December 2025 Federal Administrative Court ruling found these practices incompatible with fundamental rights.^[2]

On the privacy side, the revised Federal Act on Data Protection (FADP/nDSG), effective September 1, 2023, modernised Swiss data protection law with GDPR-compatible standards while retaining distinctly Swiss features. Switzerland has rejected Palantir Technologies at least nine times over seven years, citing concerns about US intelligence access to sensitive data.^[3] Banking secrecy, codified since 1934, has been substantially eroded through the Automatic Exchange of Information with 100+ countries.

Privacy Framework

The FDPIC (Federal Data Protection and Information Commissioner) is an independent authority supervising compliance with data protection law. Under the revised FADP (September 2023), the FDPIC gained power to issue legally binding administrative orders, a significant upgrade from the previous regime where only non-binding recommendations were possible. However, the FDPIC cannot impose fines — criminal penalties of up to CHF 250,000 are imposed on responsible natural persons (not organisations), prosecuted by cantonal authorities.^[4][5]

The FADP protects only natural persons (aligning with GDPR), introduces the “effects doctrine” for extraterritorial application, distinguishes between ordinary and “high-risk” profiling, does not require mandatory DPOs, and sets breach notification at “as soon as possible” rather than the GDPR’s 72 hours. Unlike the GDPR’s closed list of legal bases, the FADP uses a principle-based approach where processing is generally permitted unless it violates personality rights. Switzerland maintains EU adequacy (first granted 2000, renewed January 2024) and approved the Swiss-US Data Privacy Framework in September 2024.^[6][7]

Surveillance Laws

BÜPF – Federal Act on the Surveillance of Post and Telecommunications (2018)

The BÜPF governs lawful interception by law enforcement. The 2018 revision substantially expanded capabilities:^[8]

• Lawful interception: Only in criminal proceedings (not preventive). Ordered by prosecutors, approved by court. Metadata access requires court order; subscriber data does not
• GovWare (state trojans): Government malware on suspects’ devices, subject to subsidiarity (only when other measures fail). The FDPIC criticised the authorised offence catalogue as “too comprehensive”
• IMSI catchers: Cell tower simulation devices for mobile interception, requiring judicial authorisation

The Dienst ÜPF (Post and Telecommunications Surveillance Service) implements surveillance measures, serving cantonal prosecutors, the Attorney General, and the Federal Intelligence Service.

NDG – Federal Intelligence Service Act (2017)

The NDG was approved by referendum with 65.5% support and entered into force September 1, 2017. Key capabilities:^[9]

• Cable reconnaissance (Kabelaufklärung): Bulk interception of cross-border fibre-optic communications, filtered using selectors. Swiss nationals and residents are exempt from targeting
• Computer network exploitation: Remote infiltration of computer systems, including webcam activation and trojan deployment, both domestically and abroad

Triple-Lock Authorisation

Special intelligence-gathering measures require three-stage approval: (1) Federal Administrative Court, (2) heads of the Departments of Defence, Justice, and Foreign Affairs, (3) Federal Council Security Committee. However, the December 2025 FAC ruling found this mechanism insufficient in practice to protect fundamental rights.^[2]

Procedural Safeguards

The Swiss Criminal Procedure Code (StPO) requires post-surveillance notification to targets, access to results, right to independent expert review, right to challenge in court, and damages for successful challenges. Metadata obtained without judicial authorisation is inadmissible.^[10]

Intelligence Services

NDB / FIS – Federal Intelligence Service

Established January 1, 2010 by merging the DAP (domestic security) and SND (foreign intelligence). Responsible for counter-terrorism, counter-espionage, counter-proliferation, and critical infrastructure protection. The NDB collaborates with over 100 foreign intelligence agencies (12,500 notifications received and 6,000 sent in 2017). A separate Military Intelligence service (MND) operates within the armed forces.^[11]

Alliance Status: Non-Member with Extensive Cooperation

Switzerland is not a member of the Five Eyes, Nine Eyes, Fourteen Eyes, or Maximator alliances. However, its independence is more nuanced than formal non-membership suggests:^[12]

• Club de Berne: Switzerland is a founding member (established 1969, co-initiated by Switzerland and named after Bern), now comprising intelligence services of all 27 EU states plus Norway and Switzerland
• Counter Terrorism Group (CTG): Active participant with substantially overlapping Club de Berne membership
• Focused cooperation: Listed among countries participating in computer network exploitation cooperation with Five Eyes nations

Crypto AG / Operation Rubicon

Revealed February 2020 by the Washington Post, ZDF, and SRF. Crypto AG, a Swiss-based encryption manufacturer, was secretly co-owned by the CIA and the West German BND from 1970 to 2018. They sold deliberately weakened encryption equipment to over 120 governments (including Iran, India, Pakistan, and Latin American nations), enabling the CIA and BND to read their encrypted communications. The BND sold its stake around 1993; the CIA maintained sole ownership until approximately 2018.^[1]

The GPDel (Parliamentary Control Delegation) investigation found that Swiss intelligence (SND) knew the CIA was behind Crypto AG as far back as 1993 and subsequently collaborated. The report stated: “The Swiss authorities share responsibility for the activities of Crypto AG.” Current ministers were only informed in autumn 2019, months before media revelations.^[13]

Oversight Bodies

AB-ND: Independent Oversight Authority for Intelligence Activities, established by the NDG. GPDel: Parliamentary Control Delegation with wide-ranging inspection rights. FDPIC: Checks legality of domestically collected intelligence data. Federal Audit Office: Financial oversight. The multi-layered structure reflects Swiss political culture, though Operation Rubicon showed it can fail when activities are concealed for decades.^[14]

Data Sovereignty: Rejecting Palantir

Swiss federal agencies have rejected Palantir Technologies at least nine times over seven years. In 2020, military evaluators rejected a Palantir bid for an intelligence service IT system, concluding it was unclear whether sensitive data could be safeguarded from US intelligence access. The Federal Office of Public Health chose competitors for pandemic management. The pattern reflects an institutional assessment that Palantir’s ties to US intelligence (initially funded by the CIA’s In-Q-Tel, extensive NSA/CIA contracts) create unacceptable sovereignty risks.^[3]

This contrasts sharply with other privacy-conscious jurisdictions: the UK awarded Palantir £330M (NHS) and £240M (MOD), France renewed its DGSI contract, Denmark deployed POL-INTEL, and Germany allows three states to use Palantir despite federal concerns.^[15]

However, investigative reporting in October 2023 revealed that Predator spyware (Intellexa/Cytrox) had been sold to Switzerland among 25 identified purchaser countries.^[16]

Banking Secrecy and Financial Privacy

Article 47 of the Federal Act on Banks and Savings Banks (1934) makes disclosure of client information a federal crime punishable by up to five years’ imprisonment and CHF 250,000 fines. This transformed a civil-law tradition into one of the most widely recognised financial privacy regimes.^[17]

However, banking secrecy has been substantially eroded since 2009 under international pressure. Switzerland adopted the Automatic Exchange of Information (AEOI) standard in 2017, with first exchanges in 2018. As of 2024–2026, AEOI covers 100+ partner countries, with millions of accounts shared annually (balances, interest, dividends, financial income, account holder identity). Crucially, AEOI applies only to foreign account holders; Swiss residents’ banking information is not exchanged automatically, meaning banking secrecy remains functionally intact domestically.^[18]

Cryptography and Export Controls

The development, manufacturing, and use of cryptographic products is unrestricted within Switzerland. No authorisation, licensing, or registration is required. Switzerland participates in the Wassenaar Arrangement for export controls on dual-use goods, administered by SECO (State Secretariat for Economic Affairs). An Ordinary General License covers exports to 23 trusted countries. Under the Embargo Act, Switzerland also applies import controls on surveillance technology based on human rights considerations. Following Operation Rubicon, Switzerland strengthened due diligence for cryptographic product exports.^[19][20]

Data Retention

Telecommunications providers must retain metadata (not content) for 6 months, including traffic data, subscriber data, location data, and IP addresses. Content is excluded.^[8]

VÜPF Expansion Controversy (2025–2026)

In January 2025, the Federal Council proposed expanding the VÜPF (implementing ordinance) to classify VPN services, encrypted messaging apps, social media, and email providers as telecommunications service providers subject to retention. The proposals included mandatory IP address logging for providers with 5,000+ users, mandatory identity verification (banning anonymous access), and potential obligations to build encryption backdoors.^[21]

The backlash was severe: Swiss-based companies began relocating servers abroad, Proton relocated CHF 100 million in infrastructure to Germany and Norway, and 19 civil society organisations (including EDRi, Amnesty International, Privacy International) published an open letter demanding abandonment of the proposals. Parliament paused the process in December 2025, commissioning an independent impact analysis before any new draft.^[22][23]

International Data Sharing Agreements

Despite Switzerland’s non-membership in Eyes alliances and robust domestic framework, extensive international agreements provide foreign agencies with pathways to access Swiss person data.

Mutual Legal Assistance: Layered Framework

Switzerland’s MLA framework is governed domestically by the Federal Act on International Mutual Assistance in Criminal Matters (IMAC/IRSG). The Federal Office of Justice serves as the central authority.^[24]

Council of Europe (50 signatory states): The European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols provide MLA coverage with all Council of Europe members and additional signatory states.

Bilateral MLATs: Switzerland has pursued an extensive bilateral treaty network, initially with European countries, later expanding to Anglo-American states, Latin America, Asia, and North Africa, and more recently to emerging financial centres (Indonesia, Kenya, Qatar). Confirmed bilateral MLA treaties include:^[25]

• Americas: United States (1973 — the first modern bilateral MLAT worldwide, establishing the template replicated globally), Canada, Ecuador, Mexico
• Europe: Austria, France, Germany, Italy, Netherlands, Portugal, Spain
• Asia-Pacific: Australia, Hong Kong, Philippines, Republic of Korea, Singapore

IMAC fallback (worldwide): Under the IMAC, Switzerland can provide mutual legal assistance even without a treaty. Some partner states, however, cannot offer assistance without a treaty basis, which drives Switzerland’s ongoing treaty expansion programme. The Federal Office of Justice also uses Memoranda of Understanding as preliminary instruments with states not yet ready for formal treaty negotiations.^[24]

Club de Berne: Counter-Terrorism Intelligence

As a founding member of the Club de Berne (1969), Switzerland has participated in European intelligence sharing for over five decades. The network now comprises all 27 EU intelligence services plus Norway and Switzerland. The Counter Terrorism Group (CTG) operates in parallel with substantially overlapping membership.^[12]

Schengen Information System (SIS II)

Switzerland’s Schengen association (operational since 2008) means alerts entered by Swiss police are visible in real time across all Schengen countries, and vice versa. The Schengen Data Protection Act (SDPA) (2018) governs data processing in Schengen contexts.^[26]

Prüm Decision: Biometric Data Exchange

Switzerland participates in automated cross-border exchange of DNA profiles, fingerprints, and vehicle registration data. The Prüm II Regulation (2024) expands this to facial images and police records.^[27]

Financial Data Sharing

AEOI: Automatic exchange of bank account information with 100+ countries (described in Banking Secrecy section).

SWIFT/TFTP: Swiss persons’ international wire transfers are subject to US Treasury access under the Terrorist Finance Tracking Program.^[28]

Egmont Group: The Swiss FIU shares financial intelligence across 164+ Financial Intelligence Units worldwide.

Other Frameworks

Interpol I-24/7: Switzerland participates in Interpol’s global police network (195 countries). Europol: Cooperation agreement enabling strategic and technical intelligence exchange; Europol maintains FBI cooperation, meaning Swiss intelligence may flow onward to US law enforcement. PNR: Swiss air carriers transfer passenger data to US CBP for US-bound flights.^[29]

The Privacy Backdoor Effect

Despite non-membership in Eyes alliances, the FADP, and NDG triple-lock authorisation, international agreements create alternative access pathways:

• 1973 MLAT + IMAC: US and 50+ Council of Europe states can request data through MLA channels
• Club de Berne: Counter-terrorism intelligence sharing with 29 intelligence services
• Schengen SIS II: Real-time alert sharing across all Schengen countries
• Prüm Biometrics: Automated DNA, fingerprint, and vehicle queries across Schengen states
• AEOI: Banking data shared automatically with 100+ countries, eroding the traditional secrecy regime
• SWIFT/TFTP: International wire transfers subject to US Treasury subpoena
• Europol-FBI Channel: Intelligence shared with Europol potentially accessible to US FBI

Recent Developments

FAC Cable Surveillance Ruling (December 2, 2025)

The Federal Administrative Court ruled that cable reconnaissance and radio surveillance as practiced by the NDB are incompatible with the Federal Constitution and the ECHR. The court found insufficient protection against misuse, no instruments protecting journalistic sources or lawyer-client communications, and neither effective oversight nor legal remedy for affected parties. The legislature has a five-year transitional period; if a compliant system is not in place by 2030, cable and radio surveillance must be discontinued entirely.^[2][30]

NDG Revision Packages (2025–2026)

The Federal Council is pursuing multi-part NDG revision. The basic package dispatch was submitted to Parliament on February 13, 2026, extending the FIS mandate to all of cyberspace, authorising data collection from financial intermediaries, and strengthening AB-ND oversight. The controversial proposal to allow surveillance of persons with professional secrecy (lawyers, doctors) was dropped. A separate cable reconnaissance reform track addresses the FAC ruling’s 2030 deadline.^[31][32]

VÜPF Surveillance Expansion Paused

The data retention expansion proposals (described above) were paused following industry backlash and the December 2025 parliamentary motion requiring an independent impact analysis before any new draft.^[23]

Swiss-US Data Privacy Framework Stability

The Framework remains operational but faces uncertainty after the termination of all three Democratic PCLOB members in January 2025, leaving the board without a quorum. The PCLOB plays a central role in the redress mechanism. Legal commentators recommend maintaining SCCs as a precautionary fallback.^[33]

Sources