Recent developments and future prospects

Trends and developments

Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?

Based on the recently published Digital Test survey, carried out by the Federal Department of Economics, Education and Research, the Federal Council decided to reduce the obstacles for digital businesses in Switzerland. Further, the Federal Council has set the digital strategy for Switzerland for the next two years with the aim of prioritising the government’s efforts in this matter. In particular, regulatory measures will be implemented in the field of legal formalities. Further, there have been recent developments related to the Data Protection Act, e-government and electronic identity. In summary, the legal framework for the digital economy in Switzerland will be improved.

Future prospects

What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?

The aim of the Federal Council is to ensure that Switzerland continues to remain an attractive location for digital businesses. Therefore, the legal barriers for companies conducting digital businesses will be reduced, keeping in mind the protection of consumers and employees and recent developments in neighbouring countries (especially the European Union).

Legal framework

Legislation

What primary and secondary legislation governs the conduct of digital business in your jurisdiction?

In Switzerland, the conduct of digital business is mainly regulated by secondary legislation. Sector-specific regulations and laws do not exist. The following legislation is the most important for the conduct of digital business:

Depending on the industry in which industry the digital business is conducted, sector-specific laws may apply – in particular, strict regulations apply in the healthcare and finance sectors.

Regulatory authorities

Which authorities regulate the conduct of digital business and what is the extent of their powers?

As the conduct of digital business is regulated by various acts, several authorities are responsible. Whether an authority is competent depends on the relevant regulation. The most important authorities in the field of digital business are:

  • the Competition Commission regarding the Federal Law against Unfair Competition;
  • the Federal Data Protection and Information Commissioner regarding the Federal Act on Data Protection;
  • the State Secretariat for Economic Affairs regarding the Federal Act on Work in Industry, Trade and Commerce and the Order on the Indication of Prices;
  • the Swiss Financial Market Supervisory Authority in the field of financial markets/services; and
  • the Swiss Agency for Therapeutic Products with regard to the sale of medical or therapeutic products and any marketing activities in this field.

These authorities oversee compliance with and the enforcement of the relevant laws.

Government policy and regulatory approach

How would you describe the government’s policy and regulatory approach to digital business?

The government has a forthright approach to the further development and liberalisation of digital business in Switzerland. Contact with the authorities will also be more digital in the future (ie, e-government). Since the end of November 2017 an online platform for companies exists, which aims to make it easier for companies to obtain the necessary permits. The range of services available through this online platform is expected to be expanded in the coming years. 

Establishing digital businesses

Requirements

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

The establishment of businesses in Switzerland is mainly governed by the Code of Obligations and the Trade Register Order. There are no specific regulations with regard to the establishment of digital businesses compared to brick-and-mortar businesses. In comparison to other countries, setting up a company in Switzerland is expensive. There are minimum capital requirements and unavoidable fees which must be paid to notaries and the company registry. Companies must be registered in the canton where they are based, and the documentation must be in the local language.

In November 2017 Switzerland’s federal government launched a new online tool, EasyGov, to help with setting up companies and some company administration, such as registering for, filing and paying value-added tax and paying social taxes. Using this requires a certified identification. However, a notary is still required to set up a company.

Electronic contracts and signatures

Electronic contract availability

Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?

The conclusion of a contract requires a mutual expression of intent by the parties. The expression of intent may be express or implied. The validity of a contract is not subject to compliance with any particular form (unless specifically prescribed by law). There are no specific regulations on electronic contracts, but based on the general rules cited above an electronic contract is legally valid unless a particular form (eg, a handwritten signature or notarisation) is required by law. However, the law provides for an authenticated electronic signature which, if applied, is deemed equivalent to handwriting.

Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?

E-signatures cannot be used where the law requires a specific form – for example, in the case of a will (which must be handwritten in its entirety) or real estate deals (requiring a public deed).

Data retention

Do any data retention requirements apply to electronic contracts?

The Code of Obligations requires the accounting records, accounting vouchers, annual report and audit report to be retained for 10 years from the expiry of the financial year in which they were created. The accounting records and accounting vouchers may be retained on paper, electronically or in a comparable manner, provided that correspondence with the underlying business transactions and circumstances is guaranteed thereby and provided that they can be made readable again at any time.

‘Accounting vouchers’ are any documents on paper, in electronic format or in comparable form that are required to verify the business transaction. These particularly include contracts, business letters, communications from public authorities (eg, tax authorities) and emails, if such documents are relevant for the full understanding of an accounting entry (even if only potentially relevant). This is independent of whether they are in digital form or hard copy.

To the extent that records contain personal data as defined by the Federal Data Protection Act, these records may not be kept for a longer period than is necessary for achieving the purposes for which the personal data was collected. After the applicable maximum retention period has lapsed, the documents should be disposed of. An exception applies in the event of reasonable anticipation of litigation, tax audits or investigations. 

Remedies

Are any special remedies available for the breach of electronic contracts?

No, general remedies apply.

Electronic signatures

Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?

An authenticated e-signature is deemed equivalent to a handwritten signature. However, an authenticated e-signature can be obtained only from a recognised authority. The (fairly limited) list of all such authorities in Switzerland is available on the competent federal authority’s website. Authenticated e-signatures are treated like handwritten signatures. Other than that, digital signatures are valid only if there is no legal requirement for a document to be in writing. Many types of contract do not require handwritten signatures but can be agreed orally, electronically or otherwise. In practice, contracts are often concluded electronically (eg, online shops or email). However, if a contract is disputed, the admissibility and validity of the use of an electronic agreement concerns questions of evidence. Typically, companies set out in their agreements that these must be in writing. In civil proceedings, any electronic records (eg, emails, scans or print-outs of paper records) can serve as evidence. However, a court may ascribe less evidentiary value to electronic records or a print-out than it would to a document originally drawn up on paper.

Electronic payments

Electronic payment systems

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Specific regulations on the use of electronic payments and the relevant service providers do not exist in Switzerland. However, payment systems may be qualified as financial market infrastructures, and providers qualified similarly. Such infrastructures are governed by the Financial Market Infrastructure Act. Therefore, a payment service provider could fall within the scope of the Swiss financial market and other laws, most importantly the Swiss Banking Act, the Anti-money Laundering Act, the Consumer Credit Act and the National Bank Act.

Virtual currencies

Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?

Yes, there are rules, even though not sector specific ones. Additionally, trading in these units may still require authorisation from the Swiss Financial Market Supervisory Authority (FINMA). For example, providing custody wallet services (ie, custody and payment services for virtual currencies) and operating trading platforms on which virtual currencies can be bought and sold fall under the Anti-money Laundering Act. Before offering such services, potential providers must either join a self-regulatory organisation or register directly with FINMA as a financial intermediary.

FINMA recently published a factsheet on virtual currencies. 

Data protection and cybersecurity

Collection, use and storage

What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?

The Swiss Federal Data Protection Act provides that the mere act of collecting personal data constitutes the processing of such personal data. Therefore, all legal requirements which apply to the processing of personal data also apply to the collection of such data. Accordingly, the law requires that the collection of personal data may only be performed for a lawful purpose. The act requires that the collection of personal data must be evident to the data subject and, if consent is required, such consent is valid only if given voluntarily based on adequate information provided to the individual before the start of collection.

Although Switzerland is not a member of the European Union or the European Economic Area, in certain circumstances the EU General Data Protection Regulation (GDPR) is applicable to Swiss businesses. In particular, this applies when Swiss-based companies offer goods or services to EU data subjects or when they monitor the (online) behaviour of EU data subjects.  

International data transfers

What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?

The Swiss Federal Data Protection Act regulates the cross-border transfer of data. Transfer may be prohibited if, for example, the recipient's country cannot provide an adequate level of data protection. Both private individuals and federal bodies involved in cross-border data disclosure are subject to a duty of care. The transfer of data files abroad must be notified to the Federal Data Protection and Information Commissioner in the case of a lack of adequate protection in the recipient's country. In the absence of such protection, data may be disclosed abroad only if other safeguards have been put in place, particularly contractual clauses or corporate rules that guarantee protection. The commissioner must be informed of such clauses and rules; a general notification for all data transfers is permissible. In addition, the disclosure of personal data abroad may be justified if there is consent of the data subject, impending conclusion or performance of a contract with the data subject, protection of the data subject or overriding public interest.

Consumer rights

What rights are afforded to consumers in relation to their personal data?

According to the Federal Act on Data Protection, consumers have the following rights in relation to their personal data:

  • the right to rectification;
  • the right to information; and
  • the right to erasure.

The GDPR may apply in relation to consumers in the European Union, even if a digital business is based in Switzerland. Therefore, consumers may claim rights outlined in the GDPR which are more comprehensive than under the current Swiss Federal Data Protection Act. In addition, the Swiss act is currently being revised and will provide similar rights to consumers as are included in the GDPR.

Cookies

How is the use of cookies regulated?

The use of cookies is regulated by the Telecommunications Act and is permitted only if users are informed about the processing and its purpose and that they may refuse to allow processing. This means that an opt-out procedure is sufficient. Breach of this provision can be punished with a penalty up to Sfr5,000, but to date no enforcement procedures or sanctions have been made public. Finally, for businesses based in Switzerland but oriented toward the European Union, more strict EU regulations on cookies must be considered, in particular the EU E-Privacy Directive. This directive is presumed to have similar extra-territorial effects on Switzerland to the GDPR. 

Data breach

What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?

At present, there is no requirement to notify personal data security breaches under the Swiss Federal Data Protection Act. However, as above, GDPR notifications may apply. Moving forward, notification will also be required under the new federal act.

Cybersecurity

What cybersecurity regulations and/or standards apply to the conduct of digital business?

Generally, the data controller must implement adequate technical and organisational protection measures and ensure the confidentiality, availability and integrity of the data to ensure an appropriate level of data protection. In particular, the data controller must protect its systems against:

  • unauthorised or accidental destruction;
  • accidental loss;
  • technical faults;
  • forgery, theft or unlawful use; and
  • unauthorised alteration, copying or access or other unauthorised processing.

The Federal Act on Data Protection and the Telecommunications Act regulate the cybersecurity principles to be followed. An IT system containing personal data must meet certain criteria to ensure the security of such data. The Federal Data Protection and Information Commissioner has published a guide for technical and organisational measures.

MELANI, the Reporting and Analysis Centre for Information Assurance, focuses on the protection of infrastructures of critical national importance. Since 2012 MELANI also began implementing the National Strategy for the Protection of Switzerland against Cyber Risks.

Is cybersecurity insurance available and commonly purchased?

Most of the insurance solutions offered are customised and can include almost every cyber risk that may have an impact on the insurance premium. Common examples include protection against denial-of-service attacks, recovery of stolen, destroyed or damaged data after a cyber-attack and defence against unjustified claims by third parties.

A survey of a major Swiss insurer showed that currently only 12% of Switzerland’s small and medium-sized companies are using such insurance, even if they have not implemented the appropriate cybersecurity measures. 

Encryption

Are there regulations or restrictions on the use of encryption?

No regulations or restrictions specifically address encryption. However, according to the Federal Data Protection Act, adequate technical and organisational protection measures to ensure the confidentiality, availability and integrity of data should be taken, in particular encryption methods. Further, insofar as data is appropriately encrypted it is no longer considered personal data and therefore the handling of such data is less restricted. 

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer data?

Generally, interception is a criminal act and protected by the Swiss Criminal Code. In pending criminal proceedings cantonal and federal law enforcement authorities can issue the Post and Telecommunications Surveillance with a surveillance mandate. However, all surveillance is subject to prior approval by a judicial authority or a cantonal or federal coercive measures authority. The examination of a surveillance mandate consists of checking whether the ordering authority is competent to order a surveillance mandate and whether the mandate is about a punishable act contained on the crime list.

Advertising and marketing

Regulation

What rules govern digital advertising and marketing in your jurisdiction?

The Federal Law against Unfair Competition bans unfair advertising and sales practices and other wrongful conduct, including spam messages. Companies which use direct marketing must also exercise particular discretion when handling personal data. The Federal Data Protection Act regulates the lawfulness of processing personal data; this includes that the processing must be carried out in good faith and must be proportionate, appropriate and transparent. Further, the use of pictures or graphic works must comply with the Copyright Act. 

Are there any specific regulations governing the use of targeted advertising?

When using personal data for targeted advertising, the Federal Data Protection Act must be complied with. With regard to mass emails, the regulations of the Federal Law against Unfair Competition, which requires consent from the recipient, identification of the sender and a convenient opt-out option for the recipient, apply.

Further, for businesses offering services and goods to data subject in the European Union or the European Economic Area, as well as for tracking cookies or similar methods of tracking, the respective EU regulation such as the GDPR and the EU E-Privacy Regulation, once in force, should be considered.

Restrictions

Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?

Various regulations limit the sale of goods and services online. In particular, when offering financial services, specific regulations such as the banking law, regulations regarding stock exchanges or money laundering must be respected. When offering medical drugs or therapeutic products there are strict regulations with regard to the advertising and sale of such products. Other regulations concern the declaration of foodstuffs, safety of food products or the sale of alcohol or tobacco products. Further, there are regulations on product liability which include mandatory liability for product defects.

Spam messages

What rules and restrictions govern the sending of spam messages?

The sending of unsolicited electronic communications (spam) is regulated by the Federal Law against Unfair Competition and the Telecommunications Act. Providers of telecommunication services are mandated to combat unfair mass advertising. The mass sending of spam emails is considered an act of unfair competition unless the following conditions are met:

  • The recipient has given consent.
  • The sender is disclosed and identifiable.
  • The recipient is given a convenient and free of charge opportunity to unsubscribe from communications.

Digital content and IP issues

Required notices

Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?

Yes, websites and other digital content are required to do so. In accordance with the Federal Law against Unfair Competition, anyone offering goods, work or services using electronic commerce must:

  • indicate clearly and in full its identity (company name) and contact address (postal and email address);
  • indicate the various technical steps resulting in the conclusion of a contract;
  • provide the appropriate technical tools making it possible to detect and correct entry errors before sending an order; and
  • immediately confirm the customer’s order by email.

A simple contact form is not enough to meet these requirements.

Further, for goods it is necessary to indicate the actual price to be paid in Swiss francs, including non-optional supplements of any kind.

Liability for content

What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?

Under Swiss civil law, such liability can be divided into three categories: contractual liability, general non-contractual liability and special statutory liability. Such liability is governed by the Swiss Civil Code (Articles 27 and following), the Swiss Code of Obligations (Articles 41 and following) or the respective IP regulations (eg, the Copyright Act). Further, the regulations of the Swiss Criminal Code must be considered.

How can liability be excluded or limited?

The exclusion of liability for the participation in the infringement or defamation of another party’s IP right is not possible because every party involved in such an infringement or defamation can be liable. This particularly applies where special statutory liability is applicable.

In the field of service providers (eg, blog providers), such providers can contractually limit their liability regarding their users’ content. However, since this is relevant for digital businesses, the exclusion of liability within general terms and conditions for contracts with consumers is critical (due to laws protecting consumer rights). Further, such contractual exclusion needs both parties’ consent. This type of exclusion in the business-to-consumer field can be void, depending on the individual case. However, it is regularly done in the business-to-business field. 

Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?

Every party which, in any way, objectively participates in the infringement or defamation can be liable – therefore, providers are also liable. In 2013 the Federal Court decided that a blog provider – in this case, a newspaper blog – can be liable for defamatory or infringing content (see Decision 5A_792/2011). To reduce the risk of liability, such providers must check the respective content themselves. At present, the Copyright Act is undergoing revision. In the future, internet service providers will have greater obligations with respect to defamatory or infringing content. Failure to meet such obligations may lead to liability.

Content takedowns

What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?

Swiss law sets down no specific rules about the civil and criminal liability of internet service providers (ISPs), and particularly not for ISPs’ legal privilege. Rather, general rules apply to the protection of personality rights.

In view of this, the Swiss Internet Industry Association has adopted a code of conduct in order to strengthen legal certainty and establish an industry standard to help clarify the roles, responsibilities and processes relating to illegal online content. The code provides for a notice and notice procedure and a notice and takedown procedure in cases of illegal content. 'Illegal content' is defined as content infringing IP rights, personality rights or constituting a criminal offence (particularly pornography, the portrayal of violence, racism and libel).

However, ISPs have no general obligation to check for unlawful content. ISPs can be accused of a lack of care only if they fail to take reasonable measures after receiving specific indications of an obvious breach of legal rights. Only in the case of an obvious infringement of rights should providers have to remove content on their own initiative in order to avoid liability to pay damages.

Domain names

What rules, restrictions and procedures govern the licensing of domain names?

The registration and administration of domain names under the domains ‘.ch’ and ‘.li’ are regulated by the general terms and conditions of SWITCH, the Swiss domain name regulator. According to the general terms and conditions, the following rules apply:

  • Equal treatment – SWITCH will handle requests for registration provided that the premises are the same, in accordance with the same rules and principles.
  • First come, first served – the registration of a domain name for which several valid requests are received will be based on chronological order.
  • Legitimacy – a request for registration of a domain name represents to SWITCH the binding warranty of the applicant or holder that the registration to the domain name holder indicated in the request can be made legally and that the holder is entitled to use the domain name.
  • Registration for an unlimited period – the registration of domain names for the respective holder is generally for an unlimited period.
  • Duty of data maintenance – the holder is responsible for ensuring that all the data of domain names registered for the holder and recorded by SWITCH in the domain name registry (eg, the data of the contact persons and technical details of the domain name) is kept up to date, complete and correct for the entire term of registration.

How are domain name disputes resolved in your jurisdiction?

If the parties cannot agree on entitlement to a domain name or on the legitimacy of its use, they can pay to use the SWITCH dispute resolution service. Decisions issued by the dispute resolution service’s experts are binding for domain name holders even if they do not proceed to the merits in the dispute resolution proceedings.

The dispute resolution proceedings are subject to the relevant rules of procedure. Legal actions before the state courts are available to both the holder and third parties.

IP protection measures

What special measures and safeguards should rights holders consider in protecting their online/digital content?

General Swiss law applies with respect to protecting online/digital content. In this respect, Swiss design law, trademark law or copyright law must be taken into consideration. Works protected by copyright law are defined as literary and artistic intellectual creations with an individual character, irrespective of their value or purpose. Computer programs are also considered to be works. Drafts, titles and parts of works, insofar as they are intellectual creations with an individual character, are also protected by the Copyright Act.

The Trademark Protection Act gives a broad definition of the term ‘trademark’. In principle, any sign that is capable of being represented graphically can be a trademark within the meaning of the law, provided that the sign is used to distinguish goods or services from those of a competitor. Trademarks can be registered with the Swiss Federal Institute of Intellectual Property (IPI).

A design is a unique creative form that can be protected by registering it at the IPI. A design can be protected if it meets the following requirements:

  • the design is new; and
  • the design has individual character (ie, its overall impression differs sufficiently from existing designs).

Tax issues

Online sales

How are online sales taxed?

Online sales are taxable in the same manner as other sales. However, there has been a recent development in terms of value-added tax (VAT). As of January 2019, mail order companies domiciled outside Switzerland which achieve an annual turnover of at least Sfr100,000 with goods that they deliver into Switzerland are Swiss VAT-taxable because such deliveries are qualified as ‘domestic delivery’. This means that the company needs to register in the VAT Register and is therefore subject to the VAT (eg, Amazon).

Other taxes

What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?

There are no other sector-specific tax regulations in Switzerland.

Jurisdiction, governing law and dispute resolution

Jurisdiction and governing law

How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?

According to the Swiss Code on Civil Procedure, jurisdiction for actions in relation to consumer contracts lies with the court in the consumer's domicile. However, the consumer may also file its action at the supplier's domicile. Further, a jurisdiction agreement in business-to-consumer operations concluded before a dispute has arisen is invalid; consumers cannot validly waive or submit to a jurisdiction other than their domicile in advance.

Courts

Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?

No.

Alternative dispute resolution

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

No specific dispute resolution methods for online businesses are available in Switzerland.