Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.    

Privacy and data security

Net neutrality

What is your jurisdiction’s regulatory stance on net neutrality?

There exist no specific regulations on net neutrality in Switzerland so far. In March 2015, the Swiss Council of States voted against a specific regulation on net neutrality, mainly because it wanted to await international developments on this issue. However, in November 2014 the largest Swiss information and communications technology companies agreed on a code of conduct (CoC) on net neutrality and published related explanatory notes in order to ensure open internet access in Switzerland. Under the CoC, the telecommunications service providers undertake not to lock services and applications, and not to limit the freedom of speech and information. In principle, all users shall be granted access to the full range of content, services, applications, hardware and software. However, the CoC allows specific prioritisation of certain content, among other things for the purpose of network management and to improve the network’s quality. It is explicitly stated that zero rating is permitted. As part of traffic management measures, bandwidth throttling may be applied under the CoC. The users may call upon a conciliation body in the event of a provider’s alleged breach of its CoC obligations. Such conciliation body will also constantly evaluate the CoC and its impact on the openness of the Internet, and report on this subject matter annually. In the draft bill of the Federal Council for the revision of the current Federal Act on Telecommunications (TCA), several provisions are aimed at improving consumer protection, thereby imposing transparency obligations on telecommunications service providers with regard to the processing of the information that they transmit (network neutrality) and the quality of their services.

Encryption

Are there regulations or restrictions on encryption of communications?

According to the TCA, no person who is or has been responsible for providing a telecommunications service may disclose to a third party information relating to subscribers' communications or give anyone else an opportunity to do so.

The Federal Council is empowered to regulate, in particular, the identification of the caller's line, call forwarding, the use of data relating to telecommunications traffic and the security of telecommunications services with regard to interception and interference by unauthorised persons. It shall thereby take account of the need to protect the privacy of telecommunications users. As a consequence, telecommunications service providers are obliged to inform their customers of the risks involved in using their services with regard to interception and intervention by unauthorised third parties, and must offer or indicate appropriate means of eliminating those risks.

As the encryption of communication is a state of the art data security measure, a de facto obligation to encrypt communication exists. However, there is no case law on the question of which encryption process is sufficient in which case.

Data retention

Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?

Under the Federal Postal Service and Telecommunications Surveillance Act, telecommunications service providers are obliged to provide the following information on certain telecommunications services to the authorities:

  • name, first name, date of birth, address and, if known, occupation of the participant;
  • the addressing elements;
  • the types of services;
  • for pre-paid services, also the surname and first name of the person who provided the means necessary for access to the telecommunications service.

The Federal Council may oblige telecommunications service providers to provide other data on telecommunications services that may be of an administrative or technical nature or allow the identification of persons. To date, no such other data must be provided.

Telecommunications service providers must ensure that above-listed information is recorded when the customer relationship is established, and can be supplied for the duration of the customer relationship and for six months after its termination. Providers are obliged to keep the data allowing identification of the participants, as well as the traffic and billing data, for at least six months.

If it is suspected that a crime has been committed over the Internet, telecommunications service providers are obliged to provide the service with all the information necessary to identify the offender. In this regard, the same retention deadlines as mentioned above apply.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?

The Federal Postal Service and Telecommunications Surveillance Act and its related ordinance set out the rules and procedure with regard to the interception of communications and access to consumer communications data. The starting point is a specific request for information made by the competent authorities to the telecommunications service provider. The transmission, in principle, takes place via an electronic processing system.

Data security obligations

What are telecoms operators’ general data security obligations to consumers?

As described above, telecommunications service providers are subject to a general confidentiality obligation. They are not allowed to disclose to a third party any information relating to a subscriber’s communications or provide anyone else the opportunity to do so. Subscribers must be granted access to the data on which invoices are based, in particular the addressing resources, the times when calls were made and the payment due.

Moreover, anyone requiring this data to trace nuisance calls or unfair mass advertising must be informed of the name and address of the subscribers whose lines were used for such calls.

Under the TCA, telecommunications service providers may process customer location data only for the provision of telecommunications services and for charging purposes. The processing of data for other services requires prior consent of customers or anonymous processing.

In addition, the Federal Act on Data Protection (FADP) applies. The FADP aims to protect the privacy and the fundamental rights of persons when their data is processed by private persons or federal bodies. Anyone who processes personal data must not unlawfully breach the privacy of the data subjects in doing so. In particular, he or she must not process personal data in contravention of the principles of the FADP, process data pertaining to a person against that person’s express wish without justification, or disclose sensitive personal data or personality profiles to third parties without justification.

The principles of the FADP are, among other, that personal data may be processed only lawfully, that its processing must be carried out in good faith and be proportionate, and that the purpose of its processing must be evident to the data subject. The FADP also provides certain specific regulations for the communications sector, such as the limitation of the right to information for journalists.

Click here to view the full article.