Upcoming revisions
Intelligence and Security Act
Lawful Interception Act
Telecommunications Act
Copyright Act
Data Protection Act
Comment
The telecoms sector is on the move, with numerous revisions being made to the following upcoming legislation:
- the Intelligence and Security Act;
- the Lawful Interception Act;
- the Telecommunications Act;
- the Copyright Act; and
- the Data Protection Act.
The first to enter into force is the revision of the Intelligence and Security Act, followed by the revision of the Lawful Interception Act. The other revisions have yet to reach Parliament.
Even after passing Parliament, the Intelligence and Security Act remains controversial and a referendum was requested, which was passed in September 2016. Ordinances have since been drafted, sent for consultation and finalised.
The new act requests the cooperation of service providers without using the terms defined in the Telecommunication Act or the Lawful Interception Act. As a result, it remains unclear who will need to cooperate (unclear personal scope of application).
Service providers will mainly have to cooperate with two measures:
- computer systems and networks intrusion (eg, Trojan horses), whereby the cooperation obligations are not precisely defined, meaning that the role of the service providers remains unclear; and
- access to cable networks, whereby service providers must provide the service with (technical) access information to the cable network, allow access to their location if requested, and provide data found by means of keyword research.
The two measures may be ordered only if certain conditions are met. The measures must be approved by the Federal Administrative Court and, besides this approval, access to cable networks must also be approved by the head of the Federal Department of Defence, Civil Protection and Sport (one of seven federal councillors). The service providers do not have the right to challenge the order unless the order requests obligations for the service provider that are unforeseen by the Intelligence and Security Act.
The act and its ordinances entered into force on September 1 2017.
Revision
Parliament revised the Lawful Interception Act in March 2016 and a first draft of the ordinances was sent to the authorities, political parties and stakeholders for consultation. The final version of the ordinances is still expected.
The personal scope of application of the revised act has been extended and includes the following telecoms providers:
- telecoms service providers, as defined in the Telecommunications Act;
- over-the-top (OTT) service providers enabling one or two-way communication;
- providers of company networks;
- providers of public access points; and
- retailers of SIM or similar cards.
Telecoms service providers
The interception obligations for telecoms service providers remain essentially unchanged. The surveillance service must be provided with the following data:
- identification data;
- content data in real time; and
- traffic data in real time and retroactively for up to six months.
The ordinances will define the different interception types in greater detail.
OTT service providers
OTT services providers now fall under the scope of the Lawful Interception Act. Until now, only certain OTT service providers fell under the scope of the act as they were considered telecoms service providers (eg, Skype), while others (eg, Facebook) were not seen as telecoms providers and were therefore not included. The revised act clarifies this and guarantees equal rights.
The main obligations of OTT service providers are to provide the surveillance service with:
- access to their premises and systems;
- any information requested; and
- any traffic data in their possession.
However, major providers must provide the same data as the telecoms service providers.
The draft ordinance defines the major OTT providers as companies with:
- an annual consolidated turnover of Sfr100 million (essentially in the telecoms sector) and which provide their OTT services to at least 5,000 customers; and
- companies having received more than 50 surveillance requests during the past 12 months (this definition could be modified in the final version of the ordinance).
Providers of company networks and public access points
Both providers of corporate networks (eg, internal networks) and providers of public access points (eg, internet cafés, hotels, restaurants, hospitals and schools) must cooperate with the surveillance service by providing:
- access to their premises and systems;
- any information requested; and
- any traffic data in their possession.
Retailers of SIM cards or similar cards
Retailers of SIM cards or similar cards must identify the purchaser and retain copies of their passports, ID or Swiss residence and work permits. The ordinance does not explicitly require in-person identification; other means of identification might be possible.
Proof of compliance
On request by the surveillance service, telecoms service providers must prove at their own cost that they comply with the Lawful Interception Act and can fulfil their obligations.
The service providers may delegate lawful interception to another service provider.
Penalties
In case of non-compliance, the revised act foresees a fine up to Sfr100,000.
Entry into force
The revised act will enter into force on January 1 2018.
The first draft of the revised Telecommunications Act is before the authorities, political parties and stakeholders for consultation. Based on the outcome, the authorities will send a second draft to Parliament in October or November 2017. The draft is expected to:
- respect technology neutrality;
- protect minors;
- include network neutrality or transparency;
- liberalise the use of radio frequencies; and
- reduce the administrative burden for service providers.
The revised act is not expected to enter into force within the next three or four years.
The first draft of the revised Copyright Act has been sent for consultation and contained a clause on liability exclusion for hosting and access providers if they followed a notice takedown procedure (hosting providers) or blocked transmission (access providers). The obligation for access providers to block transmission has been broadly criticised. The new draft of the act to be sent to Parliament is likely to contain a notice takedown procedure for hosting providers, together with an exclusion of liability, but no blocking obligations for access providers.
The revised act is not expected to enter into force within the next two or three years.
The draft of the revised Data Protection Act has been sent to the authorities, political parties and stakeholders for consultation. The outcome is being processed and a revised draft will be published. The first draft increases the rights of the data subject and introduces heavy penalties, so that opposition of the economy is expected and the draft to be sent to Parliament might differ from the first draft that has been published. One of the main focuses of the revision, which is likely to remain, is the adequacy of the Swiss level of data protection with regard to the protection granted under the General Data Protection Regulation (GDPR) of the European Union.
Because the GDPR enters into force in May 2018, the authorities will push the revision but it is unlikely that the revised act will enter into force within the next two years.
The pending revisions request that providers remain alert and continually adapt their processes in order to remain compliant.
For further information on this topic please contact David F Känzig or Katia Favre at Thouvenin Rechtsanwälte by telephone (+41 44 421 45 45) or email ([email protected] or [email protected]). The Thouvenin Rechtsanwälte website can be accessed at www.thouvenin.com.