Upcoming revisions

The telecoms sector is on the move, with numerous revisions being made to the following upcoming legislation:

  • the Intelligence and Security Act;
  • the Lawful Interception Act;
  • the Telecommunications Act;
  • the Copyright Act; and
  • the Data Protection Act.

The first to enter into force is the revision of the Intelligence and Security Act, followed by the revision of the Lawful Interception Act. The other revisions have yet to reach Parliament.

Intelligence and Security Act

Even after passing Parliament, the Intelligence and Security Act remains controversial and a referendum was requested, which was passed in September 2016. Ordinances have since been drafted, sent for consultation and finalised.

The new act requests the cooperation of service providers without using the terms defined in the Telecommunication Act or the Lawful Interception Act. As a result, it remains unclear who will need to cooperate (unclear personal scope of application).

Service providers will mainly have to cooperate with two measures:

  • computer systems and networks intrusion (eg, Trojan horses), whereby the cooperation obligations are not precisely defined, meaning that the role of the service providers remains unclear; and
  • access to cable networks, whereby service providers must provide the service with (technical) access information to the cable network, allow access to their location if requested, and provide data found by means of keyword research.

The two measures may be ordered only if certain conditions are met. The measures must be approved by the Federal Administrative Court and, besides this approval, access to cable networks must also be approved by the head of the Federal Department of Defence, Civil Protection and Sport (one of seven federal councillors). The service providers do not have the right to challenge the order unless the order requests obligations for the service provider that are unforeseen by the Intelligence and Security Act.

The act and its ordinances entered into force on September 1 2017.

Lawful Interception Act

Revision Parliament revised the Lawful Interception Act in March 2016 and a first draft of the ordinances was sent to the authorities, political parties and stakeholders for consultation. The final version of the ordinances is still expected.

The personal scope of application of the revised act has been extended and includes the following telecoms providers:

  • telecoms service providers, as defined in the Telecommunications Act;
  • over-the-top (OTT) service providers enabling one or two-way communication;
  • providers of company networks;
  • providers of public access points; and
  • retailers of SIM or similar cards.

Telecoms service providers

The interception obligations for telecoms service providers remain essentially unchanged. The surveillance service must be provided with the following data:

  • identification data;
  • content data in real time; and
  • traffic data in real time and retroactively for up to six months.

The ordinances will define the different interception types in greater detail.

OTT service providers

OTT services providers now fall under the scope of the Lawful Interception Act. Until now, only certain OTT service providers fell under the scope of the act as they were considered telecoms service providers (eg, Skype), while others (eg, Facebook) were not seen as telecoms providers and were therefore not included. The revised act clarifies this and guarantees equal rights.

The main obligations of OTT service providers are to provide the surveillance service with:

  • access to their premises and systems;
  • any information requested; and
  • any traffic data in their possession.

However, major providers must provide the same data as the telecoms service providers.

The draft ordinance defines the major OTT providers as companies with:

  • an annual consolidated turnover of Sfr100 million (essentially in the telecoms sector) and which provide their OTT services to at least 5,000 customers; and
  • companies having received more than 50 surveillance requests during the past 12 months (this definition could be modified in the final version of the ordinance).

Providers of company networks and public access points

Both providers of corporate networks (eg, internal networks) and providers of public access points (eg, internet cafés, hotels, restaurants, hospitals and schools) must cooperate with the surveillance service by providing:

  • access to their premises and systems;
  • any information requested; and
  • any traffic data in their possession.

Retailers of SIM cards or similar cards

Retailers of SIM cards or similar cards must identify the purchaser and retain copies of their passports, ID or Swiss residence and work permits. The ordinance does not explicitly require in-person identification; other means of identification might be possible.

Proof of compliance

On request by the surveillance service, telecoms service providers must prove at their own cost that they comply with the Lawful Interception Act and can fulfil their obligations.

The service providers may delegate lawful interception to another service provider.

Penalties

In case of non-compliance, the revised act foresees a fine up to Sfr100,000.

Entry into force

The revised act will enter into force on January 1 2018.

Telecommunications Act

The first draft of the revised Telecommunications Act is before the authorities, political parties and stakeholders for consultation. Based on the outcome, the authorities will send a second draft to Parliament in October or November 2017. The draft is expected to:

  • respect technology neutrality;
  • protect minors;
  • include network neutrality or transparency;
  • liberalise the use of radio frequencies; and
  • reduce the administrative burden for service providers.

The revised act is not expected to enter into force within the next three or four years.

Copyright Act

The first draft of the revised Copyright Act has been sent for consultation and contained a clause on liability exclusion for hosting and access providers if they followed a notice takedown procedure (hosting providers) or blocked transmission (access providers). The obligation for access providers to block transmission has been broadly criticised. The new draft of the act to be sent to Parliament is likely to contain a notice takedown procedure for hosting providers, together with an exclusion of liability, but no blocking obligations for access providers.

The revised act is not expected to enter into force within the next two or three years.

Data Protection Act

The draft of the revised Data Protection Act has been sent to the authorities, political parties and stakeholders for consultation. The outcome is being processed and a revised draft will be published. The first draft increases the rights of the data subject and introduces heavy penalties, so that opposition of the economy is expected and the draft to be sent to Parliament might differ from the first draft that has been published. One of the main focuses of the revision, which is likely to remain, is the adequacy of the Swiss level of data protection with regard to the protection granted under the General Data Protection Regulation (GDPR) of the European Union.

Because the GDPR enters into force in May 2018, the authorities will push the revision but it is unlikely that the revised act will enter into force within the next two years.

Comment

The pending revisions request that providers remain alert and continually adapt their processes in order to remain compliant.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.

For further information on this topic please contact David F Känzig or Katia Favre at Thouvenin Rechtsanwälte by telephone (+41 44 421 45 45) or email (d.kaenzig@thouvenin.com or k.favre@thouvenin.com). The Thouvenin Rechtsanwälte website can be accessed at www.thouvenin.com.