Switzerland

Overview

Switzerland is a non-EU member state with deep European ties. Bound by the European Convention on Human Rights and participating in the Schengen area, it maintains its own independent data protection framework while remaining compatible with EU standards. Switzerland is not a member of any Eyes alliance (neither Five Eyes, Nine Eyes, nor Fourteen Eyes), a position that has contributed to its development as a jurisdiction for privacy-oriented technology services.

That reputation, however, must be weighed against a more complicated history. Switzerland’s banking secrecy tradition, codified in federal law since 1934, gave birth to what became the world’s most widely recognized financial privacy regime, one that has been substantially eroded since 2009 under international pressure. And the Crypto AG scandal, revealed in 2020, exposed decades of secret collaboration between Swiss intelligence and the CIA through a Swiss-based encryption company that sold weakened equipment to over 120 governments.^[1] The CIA called it “the intelligence coup of the century.”

The revised Federal Act on Data Protection (FADP/nDSG), which entered into force on September 1, 2023, modernized Swiss data protection law and aligned it more closely with the GDPR, while retaining distinctly Swiss features, including criminal penalties against individuals rather than organizations, no mandatory Data Protection Officer requirement, and a data protection authority that cannot impose fines.

Switzerland is also a member of the European Free Trade Association (EFTA) and a Schengen-associated state, obligations that, together with its ECHR commitments noted above, collectively require it to maintain data protection standards compatible with those of the European Union, even as it charts its own legislative course. This page covers the full spectrum of Swiss privacy and surveillance law, from the FDPIC to the intelligence services, from banking secrecy to cable reconnaissance.

Data Protection Authority

FDPIC / EDÖB – Federal Data Protection and Information Commissioner

The FDPIC (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter, EDÖB) is an independent federal authority within the Federal Department of Justice and Police, reporting directly to the Federal Assembly (Parliament). The FDPIC supervises compliance with data protection law by both federal bodies and private persons.^[2]

Current Commissioner: Adrian Lobsiger (Dr. iur.), elected by the Federal Council in November 2015 and confirmed by Parliament in March 2016. He took office on June 1, 2016, was reelected for a second term in April 2019, and stood as candidate for a third term (2024–2027). Under the revised FADP, the Commissioner’s term is limited to a maximum of 12 years (three four-year terms).^[3]

Powers Under the Revised FADP (Since September 1, 2023)

The 2023 revision significantly strengthened the FDPIC’s authority. Under the old FADP, the Commissioner could only issue non-binding recommendations. The revised law grants the power to issue legally binding administrative orders directly to controllers and processors, including orders to modify, suspend, or terminate data processing; delay or abort international data transfers; implement privacy by design and by default measures; conduct Data Protection Impact Assessments; provide breach notifications; and grant data subject access rights.^[2]

The FDPIC may open investigations into data processing by private bodies on its own initiative or at the request of third parties. In its first year under the new law, the Commissioner opened 26 preliminary enquiries and investigations, concluding 7 by November 2024.^[4]

Critical Limitation: No Power to Impose Fines

Unlike EU data protection authorities under the GDPR, the FDPIC cannot impose administrative fines. Criminal penalties under the FADP (up to CHF 250,000) are prosecuted by cantonal prosecution authorities, not the FDPIC. This is a fundamental structural difference from the GDPR enforcement model, where supervisory authorities can directly levy fines of up to EUR 20 million or 4% of global turnover.^[2]

Notable Enforcement Actions

Xplain AG / fedpol / FOCBS (April 2024): The FDPIC published final investigation reports on the May 2023 Play ransomware attack on Xplain AG, a government IT contractor. 1.3 million files were stolen and 65,000 documents relevant to the Federal Administration were published on the darknet. The FDPIC found that Xplain, fedpol, and the Federal Office for Customs and Border Security all failed to meet minimum data security standards under the FADP.^[5]

Ricardo / TX Group (April 2024): The FDPIC concluded that the Ricardo auction platform and parent TX Group were processing personal data (usage data linked to unique pseudonyms) contrary to their affirmations to users.^[4]

Bürgerforum Schweiz (2024): The FDPIC investigated an association that had sent questionnaires about religious beliefs and published answers publicly without consent. The Commissioner ordered that publication could only occur with express consent and that deletion requests must be honored.^[4]

Cross-border transfer guidance (July 2024): The FDPIC published updated guidance on cross-border transfers of personal data, clarifying the requirements under the revised FADP for organizations transferring data to countries outside the Annex 1 adequacy list.^[4]

Federal Act on Data Protection (FADP / nDSG)

The completely revised Federal Act on Data Protection (Bundesgesetz über den Datenschutz, DSG, commonly referred to as the “nDSG” or “revFADP”) was adopted by Parliament on September 25, 2020 and entered into force on September 1, 2023. It replaces the original FADP of June 19, 1992 (as amended in 2006) and represents a comprehensive modernization motivated by the need to maintain the EU adequacy decision and align with evolving international standards.^[6]

Criminal Penalties Against Individuals (Unique Feature)

The most distinctive feature of the FADP is its approach to penalties. Fines of up to CHF 250,000 (approximately EUR 263,000) are imposed on responsible natural persons, not on organizations. Criminal sanctions apply only to intentional (willful) violations; negligent infringements are not penalized.^[7] This is unique among European data protection laws. Under the old FADP, maximum fines were only CHF 10,000.

Penalized offenses include: violation of information, access, and cooperation duties (Article 60); violation of data security obligations and unauthorized international transfers (Article 61); violation of professional confidentiality (Article 62); and failure to comply with an FDPIC order or court decision (Article 63). Under Article 64, if the fine for the individual would not exceed CHF 50,000 and identifying the responsible person would require disproportionate investigative effort, the fine can be imposed on the company itself (up to CHF 50,000).^[7]

No Mandatory DPO

Unlike the GDPR, the FADP does not require organizations to appoint a Data Protection Officer. The appointment of a Data Protection Advisor (Datenschutzberater) is voluntary but recommended, as it provides certain advantages, including exemption from the requirement to consult the FDPIC after a Data Protection Impact Assessment reveals high residual risks.^[6]

Breach Notification: “As Soon as Possible”

Article 24 requires controllers to report data security breaches to the FDPIC “as soon as possible” if the breach is likely to result in a high risk to data subjects. Unlike the GDPR’s specific 72-hour window, the FADP sets no fixed deadline. Data subjects must also be notified when necessary for their protection. The FDPIC published detailed guidance on breach notification obligations on February 6, 2025.^[8]

Extraterritorial Scope

Article 3 introduces the “effects doctrine” (Auswirkungsprinzip), applying the FADP to any data processing that produces effects in Switzerland, regardless of where the processing occurs. Foreign controllers and processors with a sufficient connection to Switzerland must comply and may need to appoint a Swiss representative.^[6]

Other Key Provisions

Scope narrowed to natural persons only: The old FADP protected personal data of both natural and legal persons. The revised law protects only natural persons, aligning with the GDPR approach.

Data Protection Impact Assessments: Required under Article 22 when processing may pose a high risk to the personality or fundamental rights of data subjects. If the DPIA reveals significant residual risk, the FDPIC must be consulted (Article 23).^[9]

Data subject rights: The FADP provides rights to information and access (Articles 25–27), rectification (Article 32(1)), erasure and destruction (Article 32(2)), data portability in a commonly used electronic format (Articles 28–29), and the right to object to processing. The right to access includes information on processing purposes, categories of data, recipients, storage periods, and international transfers. Controllers may refuse requests on limited grounds, including where disclosure is prohibited by law or the data serves a public purpose.^[10]

Profiling distinction: The FADP distinguishes between ordinary “profiling” and “high-risk profiling,” a distinction the GDPR does not make. High-risk profiling, defined as profiling that permits an assessment of essential aspects of the personality of a natural person, is subject to stricter consent requirements.

Legal basis for processing: Unlike the GDPR, which enumerates six explicit legal bases for processing (Article 6), the FADP does not maintain a closed list of legal bases. Instead, processing is generally permitted unless it violates the personality rights of data subjects. This more principle-based approach gives organizations greater flexibility but can also create uncertainty about compliance boundaries.

Implementing ordinance (DSV): The Data Protection Ordinance, adopted August 31, 2022 and effective September 1, 2023, provides detailed rules on minimum data security requirements, breach notification procedures, records of processing activities, DPIA criteria, the list of adequate countries for international transfers (Annex 1), and data portability.^[11]

Surveillance Laws

BÜPF – Federal Act on the Surveillance of Post and Telecommunications (2018)

The BÜPF (Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs) is the primary legal framework governing lawful interception of communications by Swiss law enforcement and intelligence agencies. Originally adopted in 2000, a major revision entered into force on March 1, 2018, substantially expanding surveillance capabilities.^[12]

Lawful interception: Surveillance by law enforcement cannot be conducted preventively, only in the course of criminal procedures. Interception must be ordered by public prosecutors and approved by a court (Zwangsmassnahmengericht). Inventory data (subscriber information) can be accessed without judicial authorization, but peripheral/metadata access requires a court order.^[12]

GovWare (state trojans): The revised BÜPF authorizes government-deployed malware on suspects’ computers and smartphones. This is subject to the subsidiarity principle: GovWare may only be used when other surveillance measures have been unsuccessful. The FDPIC has criticized the authorized catalogue of criminal offenses as “too comprehensive” for such invasive measures.^[12]

IMSI catchers: The revised BÜPF also authorizes the use of IMSI catchers (devices that simulate cell towers to intercept mobile communications), subject to judicial authorization.^[12]

Dienst ÜPF / Service SCPT: The Post and Telecommunications Surveillance Service is a central government service within the Federal Department of Justice and Police that acts as the interface between law enforcement authorities and telecommunications providers. Its main clients are the 26 cantonal public prosecutors, the Office of the Attorney General, and the Federal Intelligence Service. It is responsible for implementing surveillance measures ordered by prosecution authorities.^[12]

NDG – Federal Intelligence Service Act (2017)

The NDG (Nachrichtendienstgesetz) is the legal foundation for Switzerland’s Federal Intelligence Service (NDB). Adopted by Parliament on September 25, 2015, it was approved in a popular referendum on September 25, 2016 with 65.5% approval and entered into force on September 1, 2017.^[13]

Cable reconnaissance (Kabelaufklärung): The NDG authorizes the NDB to intercept and analyze cross-border communications traveling through fiber-optic cable networks to monitor data traffic between Switzerland and foreign countries. Swiss nationals and all residents of Switzerland are exempt from cable reconnaissance targeting. Intercepted data is filtered using selectors (search terms, addresses) to identify intelligence-relevant communications.^[13]

Computer network exploitation: The NDG authorizes the NDB to infiltrate and monitor computer systems, including remotely activating webcams, accessing data, and deploying trojans, both domestically (with stricter authorization) and abroad (to protect Swiss infrastructure).^[13]

Triple-Lock Authorization

The use of special intelligence-gathering measures (cable reconnaissance, computer network exploitation, and surveillance of private premises) requires triple-lock authorization:

1. Approval by the Federal Administrative Court.
2. Political authorization from the heads of the Federal Departments of Defence, Justice, and Foreign Affairs.
3. Review and authorization by the Federal Council Security Committee.

This triple-lock mechanism was designed to provide safeguards through multiple authorization requirements. However, the December 2025 FAC ruling (discussed in the Recent Developments section below) found that the mechanism has proven insufficient in practice to protect fundamental rights.^[14]

Procedural Safeguards Under the Criminal Procedure Code

The Swiss Criminal Procedure Code (StPO) provides important procedural safeguards for surveillance. Under the StPO, the target of surveillance must be notified after the surveillance ends, provided access to the results, and given the right to have results examined by an independent expert. The target also has the right to challenge the surveillance in court, and damages must be awarded if the challenge is successful. Metadata obtained without judicial authorization is inadmissible as evidence under Article 277(2) StPO.^[15]

These procedural protections provide a multi-layered authorization framework, though the December 2025 FAC ruling (discussed in the Recent Developments section below) demonstrated that the protections remain insufficient in the intelligence context.

Intelligence Services

NDB / FIS – Federal Intelligence Service

The NDB (Nachrichtendienst des Bundes / Federal Intelligence Service, FIS) was established on January 1, 2010 by merging two predecessor agencies: the DAP (Dienst für Analyse und Prävention – domestic security and counter-intelligence) and the SND (Strategischer Nachrichtendienst – foreign and strategic intelligence).^[16]

Mandate: Intelligence gathering for national security, including counter-terrorism, counter-espionage, counter-proliferation, and safeguarding critical infrastructure. Since the NDG entered into force in 2017, the NDB has been empowered with the enhanced surveillance tools described in the Surveillance Laws section above.

Known organizational divisions: NDBA (Auswertung/Analysis), NDBB (Beschaffung/Acquisition) with sub-divisions for foreign acquisition (NDBB-A) and domestic acquisition (NDBB-I), NDBS (Steuerung und Lage/Coordination and Situation), and NDBU (Unterstützung/Support). A separate Military Intelligence service (MND / Militärischer Nachrichtendienst) operates within the Swiss Armed Forces, focused on military threats and defense intelligence.^[16]

International cooperation: The NDB collaborates with over 100 foreign intelligence agencies. In 2017, the NDB received approximately 12,500 notifications from foreign agencies and sent out 6,000.^[16]

Five Eyes / Nine Eyes / Fourteen Eyes

Switzerland is not a member of the Five Eyes (US, UK, Canada, Australia, New Zealand), Nine Eyes (Five Eyes plus Denmark, France, Netherlands, Norway), or Fourteen Eyes / SIGINT Seniors Europe alliances. It is also not a member of the Maximator signals intelligence alliance (Denmark, France, Germany, Netherlands, Sweden).^[17]

However, Switzerland’s intelligence independence is more nuanced than its formal non-membership suggests. It is a founding member of the Club de Berne (established 1969), an intelligence-sharing network now comprising the intelligence services of all 27 EU member states plus Norway and Switzerland. The club was co-initiated by Switzerland and named after the Swiss capital. It is focused on counter-terrorism cooperation.^[17]

Switzerland is also listed among countries that participate in “focused cooperation” on computer network exploitation with Five Eyes nations, alongside Austria, Belgium, Germany, and Japan. And Schengen membership requires real-time data sharing via the Schengen Information System.^[17]

Crypto AG / Operation Rubicon

The Crypto AG scandal, revealed on February 11, 2020 by the Washington Post, ZDF, and SRF, exposed one of the most consequential intelligence operations of the Cold War. Crypto AG, a Swiss-based encryption equipment manufacturer, was secretly owned by the CIA and the West German BND from 1970 to 2018.^[1]

The operation, known as Operation Rubicon (previously Operation Thesaurus), involved selling deliberately weakened encryption equipment to over 120 governments (including Iran, India, Pakistan, and multiple Latin American nations), enabling the CIA and BND to read their encrypted communications. The BND sold its stake around 1993; the CIA maintained sole ownership until approximately 2018. Five Eyes allies benefited from the intelligence obtained.^[1]

Swiss government knowledge: The GPDel (Parliamentary Control Delegation) published its 64-page investigation report on November 10, 2020. It found that Swiss intelligence (SND) knew the CIA was behind Crypto AG as far back as 1993 and subsequently collaborated with the CIA to gather foreign intelligence. The report stated: “From the fact that the SND and the American agencies acted by mutual agreement, it follows that the Swiss authorities share responsibility for the activities of Crypto AG.” Current government ministers were only informed in autumn 2019, just months before the media revelations. The GPDel report highlighted “shortcomings in the management and supervision exercised by the Federal Council.” A special prosecutor was appointed to investigate potential criminal liability, and Swiss authorities filed a criminal complaint against Crypto AG’s successor companies.^[18]

Oversight Bodies

AB-ND: The Independent Oversight Authority for Intelligence Activities (Unabhängige Aufsichtsbehörde über die nachrichtendienstlichen Tätigkeiten), established by the NDG itself, monitors the legality and appropriateness of intelligence activities.^[19]

GPDel: The Parliamentary Control Delegation (Geschäftsprüfungsdelegation), composed of members of both chambers, has wide-ranging inspection rights and conducted the Crypto AG investigation.^[18]

FDPIC: Checks the legality of personal data collected domestically by the intelligence services.

Federal Audit Office: Audits the NDB on behalf of the Finance Delegation.

The multi-layered oversight structure reflects Swiss political culture, where checks and balances are deeply embedded. However, the Operation Rubicon investigation revealed that even this system can fail when intelligence activities are deliberately concealed from political leadership for decades.

The AB-ND has extended powers including cooperation with foreign supervisory authorities, direct communication with cantonal authorities, and the ability to make independent budget requests directly to Parliament, structural features designed to insulate oversight from political interference.^[19]

Cryptography and Export Controls

Switzerland’s approach to cryptography regulation reflects its historical role as a center of encryption technology development and its participation in international export control regimes despite its political neutrality.

Unrestricted Domestic Use and Development

Under the Federal Law on Telecommunications (FMG) and related legislation, the development, manufacturing, and use of cryptographic software and hardware is not subject to any limitation within Switzerland. Individuals, businesses, and organizations may freely create, deploy, and use encryption technologies of any strength without authorization, licensing, or registration requirements.^[37]

This liberal domestic policy stands in contrast to the stricter export controls applied to cryptographic products leaving Swiss territory.

Export Controls Under the Wassenaar Arrangement

Switzerland is a participating state in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. All items listed by the Wassenaar Arrangement, as well as those covered by the Australia Group, Missile Technology Control Regime, and Nuclear Suppliers Group, are subject to export control in Switzerland.^[38]

The legal basis for export controls is the Federal Act on the Control of Dual-Use Goods, Specific Military Goods and Strategic Goods (Goods Control Act) and its implementing Ordinance concerning the Export, Import, and Transit of Dual-Use Goods and Specific Military Goods (June 25, 1997).^[38]

SECO Licensing Authority

The State Secretariat for Economic Affairs (SECO) serves as Switzerland’s export licensing authority for dual-use goods, including cryptographic equipment, software, and technology. SECO is responsible for reviewing and approving export applications, maintaining the controlled goods list, and enforcing compliance.^[38]

For exports of cryptographic equipment, Switzerland normally requires the presentation of an import certificate from the end-use country’s authorities (for countries whose authorities issue such documents). This provides an additional layer of accountability ensuring that controlled cryptographic products are delivered to legitimate end-users.

Ordinary General License (OGL) for Trusted Destinations

Switzerland operates an Ordinary General License (OGL) system for exports to end-users in countries that are members of all four international export control regimes (Wassenaar, Australia Group, MTCR, NSG). As of 2026, this includes 23 countries to which controlled cryptographic goods may be exported under streamlined procedures without individual licensing for each transaction.^[38]

The OGL framework significantly reduces administrative burden for Swiss exporters while maintaining control over destinations where proliferation or diversion risks are higher.

Import Restrictions on Surveillance Technology

Under the Embargo Act and the Ordinance on the Export and Brokerage of Goods for Internet and Mobile Communication Surveillance, Switzerland restricts not only exports but also imports of certain surveillance technologies. This creates a rare scenario where Switzerland applies import controls based on human rights considerations, preventing the domestic market from becoming a transit hub for surveillance equipment destined for repressive regimes.^[39]

Following the 2020 Operation Rubicon revelations, Switzerland strengthened due diligence requirements for cryptographic product exports to prevent future misuse of Swiss-origin encryption technology.^[18]

Banking and Financial Privacy

Article 47 Banking Secrecy (1934)

Swiss banking secrecy, codified in Article 47 of the Federal Act on Banks and Savings Banks since February 2, 1934 (entered into force March 1, 1935), is one of the widely known financial privacy protections globally. It makes it a federal crime for anyone who is or has been responsible for providing banking services to disclose client information to foreign entities, third parties, or even Swiss authorities without consent. Violations are punishable by up to five years’ imprisonment and fines of up to CHF 250,000.^[20]

The codification of banking secrecy in the 1930s was driven by several converging factors: the introduction of formal banking supervision, and a 1932 French campaign against tax evasion following a financial scandal involving Swiss banks that held accounts for prominent French citizens. The law transformed what had been a civil-law tradition into a federal criminal offense, establishing what became the widely recognized financial privacy regime for nearly a century.^[20]

Erosion Through AEOI (Since 2018)

The traditional banking secrecy protections have been substantially eroded over the past two decades under international pressure:

2009: Under pressure following the UBS tax evasion scandal, Switzerland agreed to adopt OECD standards on exchange of information upon request.
2013: Switzerland signed the OECD Multilateral Convention on Mutual Administrative Assistance in Tax Matters.
January 1, 2017: Switzerland formally adopted the Automatic Exchange of Information (AEOI) standard.
2018: First exchange of bank account information under AEOI with partner states.
2024–2026: AEOI agreements with 100+ partner countries; millions of cash and custody accounts shared annually.^[21]

The AEOI covers account balances, interest, dividends, other financial income, proceeds from the sale of financial assets, and account holder identity information. However, AEOI applies only to foreign account holders; Swiss residents’ banking information is not exchanged automatically with foreign tax authorities, meaning banking secrecy remains functionally intact for domestic purposes.^[21]

Telecommunications Confidentiality

Beyond banking secrecy, Swiss telecommunications law provides additional financial and communications privacy protections. Article 43 of the Federal Telecommunications Act (FMG) requires telecommunications service providers to maintain the confidentiality of subscribers’ communications. No person who is or has been responsible for providing a telecommunications service may disclose information relating to subscribers’ communications to third parties. Encryption of communication is considered a state-of-the-art data security measure under Swiss law.^[35]

Anti-Money Laundering

Switzerland is a member of the Financial Action Task Force (FATF), with a compliance rating of compliant on 8 Recommendations, largely compliant on 29, and partially compliant on 3. The primary AML framework is the Anti-Money Laundering Act (AMLA/GwG), supplemented by FINMA regulations. On May 22, 2024, the Federal Council adopted a new bill to enhance the AML framework, aligning with FATF standards, expected to enter force in early 2026.^[22]

The Swiss Financial Market Supervisory Authority (FINMA) supervises banks, insurance companies, asset managers, securities firms, and other financial intermediaries. Data processing by financial institutions is subject to both the general FADP and sector-specific requirements under the Banking Act, Insurance Supervision Act (VAG), and FINMA regulations.^[36]

Data Retention

Current Requirements Under the BÜPF

Swiss telecommunications providers must retain metadata (not content) for 6 months. This includes traffic data (who communicated with whom, when, for how long, and from where), subscriber data, and location data. Internet service providers must retain edge/connection data (IP addresses, connection records) for 6 months. The content of communications is not subject to retention obligations. Retention applies to providers of “significant economic importance” as designated by the authorities.^[12]

This is an important distinction: Switzerland retains metadata only, not communications content. However, as the European Court of Human Rights and multiple constitutional courts have recognized, metadata alone can reveal intimate details about a person’s life (who they communicate with, when, where they are located, and for how long), making even metadata retention a significant privacy concern.

VÜPF Expansion Controversy (2025–2026)

On January 29, 2025, the Federal Council opened consultation on a partial revision of the VÜPF (implementing ordinance for the BÜPF) that would significantly expand surveillance obligations:^[23]

Extended monitoring to derived service providers: VPN services, messaging apps (including encrypted messaging), social media platforms, and email providers would be classified as telecommunications service providers subject to data retention.
IP address logging: Providers with as few as 5,000 users would be required to log IP addresses and retain data for six months.
ID verification requirements: Mandatory identity verification (driver’s license, phone number), effectively banning anonymous access to digital services.
Encryption undermining: Potential obligation for providers to build backdoors or weaken encryption to enable lawful interception.^[23]

Industry Backlash and Pause

Swiss-based technology companies and civil society organizations strongly opposed the proposals. Some companies began relocating servers abroad (primarily to Germany and Scandinavian countries), with some considering moving headquarters entirely out of Switzerland. An open letter from civil society organizations warned of “extensive and indiscriminate data retention.”^[24]

Following the backlash, the Swiss Federal Parliament accepted a motion to revise the surveillance amendment, confirming it will first commission an independent impact analysis before drafting a new version. The original proposal has been effectively paused as of early 2026.^[25]

International Position

EU Adequacy (Since 2000, Renewed January 2024)

The European Commission first recognized Switzerland as providing adequate data protection on July 26, 2000 (Decision 2000/518/EC), making it one of the earliest countries to receive an EU adequacy determination. The most recent confirmation came on January 15, 2024, with the EU Commission welcoming the modernization of the Swiss Data Protection Act as consistent with the GDPR.^[26]

Maintaining EU adequacy was one of the primary motivations for revising the FADP. Without it, every transfer of personal data from the EU/EEA to Switzerland would require individual safeguards such as standard contractual clauses, a significant burden for the deeply interconnected Swiss and European economies. The adequacy decision enables the free flow of personal data between the EU and Switzerland without additional conditions.^[26]

Swiss-US Data Privacy Framework (September 2024)

The Swiss Federal Council approved the Swiss-US Data Privacy Framework on August 14, 2024, concluding that it provides an adequate basis for transferring personal data from Switzerland to certified US companies. The Framework entered into force on September 15, 2024, adding the United States to Annex 1 of the Data Protection Ordinance.^[27]

Crucially, this adequacy determination is limited to organizations that have certified under the Framework; it does not constitute a general finding that the United States provides adequate data protection. Companies may rely on the Swiss-US DPF as a lawful basis for transfers beginning September 15, 2024. For transfers to non-certified US organizations, standard contractual clauses or other safeguards remain necessary.^[27]

Schengen Association

Switzerland’s Schengen association (operational since 2008) has significant data-sharing implications. Through the Schengen Information System (SIS), the largest information-sharing system for security and border management in Europe, alerts entered by any Schengen state are available in real time to all other members. Swiss police can cooperate with other Schengen states to prevent and identify crime, continue surveillance across borders, and share information.^[28]

To comply with Schengen requirements, Switzerland enacted the Schengen Data Protection Act (SDPA) in 2018, implementing the EU’s Law Enforcement Directive (Directive 2016/680) into Swiss law. The SDPA governs data processing by Swiss law enforcement when acting in the context of Schengen cooperation.^[29]

International Data Transfers Under the FADP

Personal data may not be disclosed abroad if the destination country does not provide adequate data protection (Article 16 FADP). The Federal Council determines which countries provide adequate protection, published in Annex 1 to the Data Protection Ordinance. Currently recognized countries include all EU/EEA member states, the United Kingdom, Andorra, Argentina, Canada (partially), Faroe Islands, Gibraltar, Guernsey, Iceland, Isle of Man, Israel, Jersey, Monaco, New Zealand, Uruguay, and the United States (limited to DPF-certified companies).^[30]

For transfers to non-adequate countries, organizations may rely on standard contractual clauses (including EU SCCs with Swiss-specific adaptations, replacing GDPR references with FADP references and designating the FDPIC as supervisory authority), binding corporate rules, contractual guarantees, or data subject consent. New Model Contractual Clauses (MCCs) have also been introduced as a Swiss-specific alternative.^[30]

Data Sovereignty: Rejecting Palantir

Switzerland’s approach to data sovereignty is demonstrated not just through legislation but through procurement decisions. Between 2020 and the present, Swiss federal agencies have rejected Palantir Technologies at least nine times over a seven-year period, citing concerns that sensitive data could not be adequately safeguarded from U.S. intelligence access.^[40]

Consistent Rejection Pattern

In 2020, Swiss military evaluators rejected a Palantir bid for an “IT system of the army’s intelligence service,” concluding it was unclear whether sensitive data could be safeguarded from access by U.S. intelligence agencies. The Federal Office of Public Health chose a competitor instead of Palantir for pandemic management systems. Similar rejections followed across multiple federal agencies and procurement processes.^[40]

The consistent pattern of rejection reflects Switzerland’s institutional assessment that Palantir’s ties to U.S. intelligence (the company was initially funded by the CIA’s venture capital arm In-Q-Tel and maintains extensive contracts with the NSA, CIA, and other U.S. agencies) create unacceptable risks for Swiss data sovereignty.

Contrast with Other Nations

Switzerland’s rejections contrast with procurement decisions in other privacy-conscious jurisdictions. The United Kingdom awarded Palantir a £330 million NHS contract (2023) and £240 million Ministry of Defence contract (2026). France renewed its DGSI intelligence contract with Palantir through 2025. Denmark deployed Palantir’s POL-INTEL platform across police databases. Even Germany, despite a federal ban, allows three states to use Palantir.^[41]

Switzerland’s consistent refusal reflects institutional prioritization of data sovereignty concerns over operational considerations. As one Swiss official stated, the evaluators determined they could not be confident that “sensitive Swiss data would remain under Swiss control.”^[40]

Intellexa Presence

While Switzerland has rejected Palantir, investigative reporting in October 2023 revealed that Predator spyware developed by Intellexa/Cytrox had been sold to Switzerland, among 25 countries identified as purchasers. The extent of Swiss government use of Predator remains unclear as of February 2026.^[42]

International Data Sharing Agreements

Despite the robust domestic privacy framework described in the preceding sections, Switzerland participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access Swiss person data, often through processes that operate outside domestic judicial oversight.

Mutual Legal Assistance Treaty with the United States (1973)

Switzerland signed the first modern bilateral MLAT with the United States in 1973, establishing the template for international mutual legal assistance that would be replicated worldwide. The Swiss-US MLAT allows law enforcement in both countries to request evidence and assistance in criminal investigations through diplomatic channels, with the Federal Office of Justice serving as Switzerland’s Central Authority.^[43]

Unlike more recent MLATs that specify electronic evidence procedures, the 1973 Swiss-US treaty predates the internet era and has been interpreted through subsequent practice to cover digital evidence requests. Switzerland has MLATs with multiple countries beyond the US, creating a web of formal mutual assistance channels through which Swiss person data can be accessed by foreign law enforcement.

Club de Berne: Counter-Terrorism Intelligence Sharing

As described in the Intelligence Services section above, Switzerland is a founding member of the Club de Berne and has played a central role in European intelligence sharing for over five decades through this network.^[17]

The Club de Berne operates parallel to, and predates, the Counter Terrorism Group (CTG), with membership substantially overlapping. Despite Switzerland’s non-membership in the Eyes alliances described earlier, its Club de Berne membership demonstrates sustained participation in European intelligence cooperation frameworks.

Five Eyes, Nine Eyes, and Fourteen Eyes

As detailed in the Intelligence Services section above, Switzerland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes alliances. This non-membership is genuine and materially distinguishes Switzerland from neighboring European states that participate in routine signals intelligence sharing with the NSA and GCHQ.^[17]

However, non-membership in formal intelligence alliances does not preclude operational intelligence cooperation with Five Eyes partners when Swiss intelligence interests align, as documented elsewhere on this page.

Schengen Information System (SIS II)

As described in the Schengen Association section above, Switzerland’s participation in SIS II means that alerts entered by Swiss police are visible in real time to law enforcement across all Schengen countries, and vice versa. The SDPA governs data protection for this processing.^[28]

Prüm Decision: Biometric Data Exchange

Switzerland participates in automated cross-border exchange of DNA profiles, fingerprints, and vehicle registration data under the Prüm Decision framework, which enables hit/no-hit queries across participating states’ databases. The Prüm II Regulation (2024) expands this to include facial images and police records, though implementation timelines for Switzerland as a Schengen-associated state (not an EU member) may differ from EU member states.^[44]

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: While Switzerland is not an EU member and not a direct party to the EU-US Umbrella Agreement (entered into force February 1, 2017), Swiss persons’ data shared with EU law enforcement may subsequently be exchanged with US authorities under the Umbrella Agreement framework, particularly when investigations involve cross-border elements.

SWIFT / TFTP Agreement: Swiss persons making international wire transfers are subject to US Treasury access to SWIFT financial transaction data under the Terrorist Finance Tracking Program (TFTP). SWIFT is headquartered in Belgium, and the EU-US TFTP agreement permits US Treasury to subpoena SWIFT data with Europol verification.^[45]

PNR Agreements: Swiss air carriers operating flights to the United States transfer passenger name record (PNR) data to US Customs and Border Protection under US aviation security requirements. While Switzerland is not party to the EU-US PNR agreement, the data collection affecting Swiss travelers is functionally equivalent.^[46]

Multilateral Frameworks

Interpol I-24/7: Switzerland participates in Interpol’s global police communications network, enabling real-time sharing of criminal intelligence with 195 countries processing over 100,000 messages daily. Swiss contributions to Interpol databases (including stolen travel documents, wanted persons, and stolen motor vehicles) become accessible to law enforcement worldwide.^[47]

Egmont Group: The Swiss Financial Intelligence Unit (FIU) participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on suspected money laundering and terrorist financing across borders.^[48]

Europol: Switzerland has a cooperation agreement with Europol, enabling exchange of strategic and technical intelligence. Europol maintains cooperation agreements with US FBI, meaning Swiss intelligence shared with Europol may subsequently flow to US law enforcement through Europol channels.^[49]

The Privacy Backdoor Effect

Despite the domestic protections described throughout this page – including the FADP’s extraterritorial scope, the FDPIC’s binding enforcement orders, NDG triple-lock authorization, and the December 2025 FAC ruling – international data sharing agreements create alternative pathways for accessing Swiss person data:

• 1973 MLAT: US law enforcement requests through the bilateral treaty described above, potentially with lower evidentiary standards than Swiss judicial warrants
• Club de Berne: Counter-terrorism intelligence sharing through the network described earlier
• Schengen SIS II: Real-time alert sharing across all Schengen countries
• Prüm Biometrics: Automated biometric queries across Schengen-associated states
• SWIFT/TFTP: International wire transfer data subject to US Treasury subpoena
• PNR Air Travel: Passenger data transferred to US CBP
• Europol-FBI Channel: Intelligence shared with Europol potentially accessible to US FBI

For Swiss persons, this means data nominally protected by the domestic framework described throughout this page can be accessed through the international channels listed above, effectively creating parallel pathways that bypass the safeguards of the FADP, the NDG, and the December 2025 FAC ruling.

Recent Developments

FAC Cable Surveillance Ruling (December 2, 2025)

In a significant intelligence-related ruling in Swiss law, the Federal Administrative Court (FAC) ruled on December 2, 2025 that cable reconnaissance and radio surveillance as currently practiced by the NDB are incompatible with the Federal Constitution and the European Convention on Human Rights. The court found that the current system of strategic signals intelligence offers insufficient protection against misuse, contains no instruments to protect journalistic sources and lawyer-client communications, and provides neither sufficiently effective oversight nor an effective legal remedy for affected parties.^[14]

The case originated from a 2017 complaint by Digitale Gesellschaft (Digital Society Switzerland) and several individuals. In 2020, the Federal Supreme Court upheld the complaint in principle and referred it back to the FAC. The FAC granted the legislature a five-year transitional period to remedy the deficiencies. If a legally compliant system is not in place by 2030, radio and cable surveillance must be discontinued entirely.^[31]

e-ID Approved (September 2025)

On September 28, 2025, Swiss voters narrowly approved the new Federal Act on Electronic Identification Services with 50.4% to 49.6%. This followed the rejection of a private-sector e-ID law in a March 2021 referendum; voters had objected to delegating digital identity infrastructure to private companies.

The new law establishes a state-run (not private sector), optional, and free-of-charge electronic identity system with decentralized data storage and interoperability with the EU eIDAS Regulation. The e-ID will be issued through a federal wallet application called “Swiyu”. A public beta launched in early 2025. Full rollout is planned for Q3 2026 at the earliest, with chip-enabled biometric ID cards planned by end of 2026.^[32]

NDG Revision Packages (2025–2026)

The Federal Council is pursuing a multi-part revision of the Intelligence Service Act:

Basic package: Changes to procurement measures, data retention, and supervision provisions. The Federal Council has abandoned the controversial proposal to allow surveillance of persons with professional secrecy (lawyers, doctors). Consultation opened in December 2025.^[33]

Cyber package: Additional measures against cyber threats, expected to address the growing sophistication of state-sponsored cyber operations targeting Swiss infrastructure. Consultation is planned for mid-2026.

Cable reconnaissance reform: The requirements from the FAC ruling described above will be implemented as a separate legislative track to avoid delaying the basic and cyber packages. This track faces the binding 2030 deadline imposed by the court.^[33]

FADP First Year of Enforcement

As noted in the Data Protection Authority section, the revised FADP’s first year saw 26 preliminary enquiries and investigations opened, with 7 concluded, including the Xplain and Ricardo/TX Group cases described earlier. The enforcement pace is considered modest compared to EU DPAs, consistent with the FDPIC’s historically cautious approach, though the Commissioner’s expanded enforcement powers represent a significant practical change.^[4]

Digital Switzerland Strategy 2026

On December 12, 2025, the Federal Council approved the Digital Switzerland Strategy 2026, prioritizing e-ID adoption, digital government services, and a framework for trustworthy artificial intelligence.^[34]

Legal Challenges to Data Retention

Digitale Gesellschaft (Digital Society Switzerland) has been the primary challenger of Swiss data retention laws, filing complaints at the Federal Administrative Court arguing that blanket metadata retention violates fundamental rights. Switzerland, as a party to the ECHR, is bound by ECtHR jurisprudence, which has consistently ruled that mass surveillance regimes must comply with principles of necessity and proportionality. The Swiss Federal Supreme Court has indicated that CJEU case law on privacy, including the landmark Digital Rights Ireland decision invalidating the EU Data Retention Directive, is relevant to Swiss legal analysis.^[23]

Schengen Data Protection Act Implementation

The SDPA, described in the Schengen Association section above, was adopted as a provisional measure ahead of the broader FADP revision. Its continued relevance is that it governs Swiss law enforcement data processing in all Schengen contexts, including SIS II access, while the FADP governs general data protection.^[29]

NDG Basic Package Dispatch to Parliament (February 13, 2026)

The Federal Council submitted the formal dispatch (Botschaft) for the NDG basic revision package to Parliament on February 13, 2026. Key provisions include: the FIS mandate extended to all of cyberspace (removing the current limitation to specific cyber threat categories), authority for data collection from financial intermediaries, new measures targeting violent extremism, and AB-ND oversight strengthened with extended powers. Notably, the controversial proposal to allow surveillance of persons with professional secrecy (lawyers, doctors, journalists) was dropped from the final dispatch following strong opposition during consultation.^[50]

VÜPF Civil Society Open Letter (February 4, 2026)

On February 4, 2026, 19 civil society organizations including EDRi, Amnesty International, Privacy International, and Statewatch published an open letter demanding Switzerland abandon blanket data retention and identification requirements under the VÜPF revision. In a tangible demonstration of the economic consequences, Proton began relocating CHF 100 million in infrastructure investment to Germany and Norway. Parliament had previously paused the VÜPF process following a December 10, 2025 motion calling for an independent impact analysis before any new draft is produced.^[51]

Mandatory Cyberattack Reporting Penalties (October 1, 2025)

Following the April 1, 2025 introduction of mandatory cyberattack reporting obligations for critical infrastructure operators, enforcement penalties took effect on October 1, 2025. Operators failing to report qualifying incidents to the Federal Office for Cybersecurity (BACS) within 24 hours now face fines of up to CHF 100,000. During the six-month grace period between April and October, BACS logged 164 reported incidents, establishing baseline data on the scope and frequency of cyberattacks against Swiss critical infrastructure.^[52]

AI Regulation: Council of Europe Convention (March 2025)

Switzerland signed the Council of Europe Framework Convention on Artificial Intelligence on March 27, 2025. The Federal Department of Justice and Police (FDJP) is preparing a draft implementation bill for public consultation by the end of 2026. Switzerland explicitly rejected the EU AI Act model, opting instead for a sector-specific regulatory approach tailored to Swiss legal traditions. In the interim, the FDPIC has confirmed that the existing FADP applies to AI systems processing personal data, meaning current data protection obligations already govern AI-driven profiling, automated decision-making, and algorithmic processing of personal data.^[53]

Cyber Resilience Law (Draft Expected Autumn 2026)

The Federal Council announced preparations for a comprehensive Cyber Resilience Law with a draft bill expected in autumn 2026. The legislation aims to align Switzerland with the EU’s Cyber Resilience Act (CRA) and NIS-2 Directive, establishing minimum security requirements for connected products, mandatory vulnerability disclosure processes, and import bans on devices that fail to meet baseline cybersecurity standards. The law reflects Switzerland’s broader pattern of maintaining regulatory compatibility with EU digital policy without directly adopting EU regulations.^[54]

Swiss-US Data Privacy Framework Stability Concerns

While the Swiss-US Data Privacy Framework (described in the International Position section above) remains operational, its long-term stability has come under question following the termination of all three Democratic members of the US Privacy and Civil Liberties Oversight Board (PCLOB) in January 2025, leaving the board without a quorum. The PCLOB plays a central role in the redress mechanism underpinning both the EU-US and Swiss-US data privacy frameworks. Legal commentators have recommended that Swiss organizations maintain Standard Contractual Clauses (SCCs) as a precautionary fallback alongside DPF certification, in the event the Framework faces a legal challenge or is invalidated.^[55]

FDPIC Annual Report 2024/2025

The FDPIC’s annual report for the 2024/2025 reporting period documented increased enforcement activity and a new focus on cross-platform tracking practices. The report also disclosed the conclusion of the FDPIC’s investigation into Grok/X (formerly Twitter) in March 2025, which examined the platform’s use of user data for AI model training. The FDPIC concluded that X’s opt-out mechanism for Grok training data was deemed compliant with the FADP, though the Commissioner noted that opt-out (rather than opt-in) consent models remain an area of ongoing scrutiny under Swiss data protection principles.^[56]

Sources