Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Legislation and regulation
Is cloud computing specifically recognised and provided for in your legal system? If so, how?
Switzerland, in general, pursues a technology-neutral approach to its laws and regulations. The supervisory laws also adopt a neutral and principle-based position regarding technological developments and business models.
The aim is to neither provide undue benefits nor to introduce disadvantages to either old or new technology. However, the fast-developing digitalisation has made it necessary to provide a legislative framework in certain areas, which allows the implementation of new business models. As an example, at the end of 2019, the Swiss Federal Council adopted the dispatch on the further improvement of the framework conditions for distributed ledger technology (DLT). The report showed that Switzerland’s current legal framework is already well suited to dealing with new technologies, including DLT. Consequently, the Federal Council refrained from drawing up a specific technology act.
Cloud computing is principally dealt with in commercial contracts and, therefore, governed by contract law, which is regulated under the Swiss Code of Obligations. Additionally, specific aspects and issues are addressed in numerous other laws and provisions. Further, a revision of the Federal Act on Data Protection of 19 June 1992 has been adopted in parliament, and it will be aligned in scope with the EU General Data Protection Regulation. It is expected to be put in force in 2022. The revised Act will have an impact on cloud computing, but not directly address specific cloud topics.
As a result, Switzerland has not introduced any laws and regulations that specifically recognise, and provide for, cloud computing. However, there are sector-specific guidelines and expert opinions that address cloud computing and are nonetheless nonbinding from a legal perspective. For example, the Swiss Bankers Association has drawn up a set of legal and regulatory guidelines for the use of cloud services by banks and securities dealers. These guidelines contain recommendations for institutions and cloud providers on the procurement and use of cloud services. The Swiss Bar Association also published a guideline, expert opinions and minimal requirements to support law firms when using cloud services.
Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
No.
What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
Cloud computing is provided and procured on the basis of commercial contracts. Swiss contract law is flexible and allows for coverage of all of the service models available within cloud computing. However, there are numerous laws and regulations imposing requirements, mainly related to the IT-security protection objectives, pertaining to availability, integrity and confidentiality.
According to article 321 of the Swiss Criminal Code, any person acting within the capacity of a member of the clergy, lawyer, defence lawyer, notary, patent attorney, auditor subject to a duty of confidentiality under the Swiss Code of Obligations, doctor, dentist, chiropractor, pharmacist, midwife, psychologist, nurse, physiotherapist, occupational therapist, dietician, optometrist, osteopath, or as an assistant to any of the foregoing persons must not disclose confidential information that has been confided to them in their professional capacity, or which has come to their knowledge in the practice of their profession, to an unauthorised third person.
Banking secrecy, according to article 47 of the Banking Act, is also categorised as professional confidentiality. Further, business or trade secrets enjoy additional protections under articles 162 and 273 of the Swiss Criminal Code.
While it is the precedent practice that professional confidentiality and business or trade secrecy do not strictly prohibit the employment of cloud services, appropriate safeguards must be implemented. If a cloud provider and its subcontractors do not in actuality obtain knowledge of any protected information and data being processed within the cloud, there is no disclosure of confidential information. However, the responsible professional or owner of the business or trade secret must have put appropriate technical, organisational and contractual measures in place in order to limit the risk of the provider and its subcontractors accessing the information or data. If the provider or its subcontractors have access to protected information, the duty to maintain professional confidentiality or business or trade secrecy will have to be extended and imposed upon the provider and its subcontractors. The Supreme Court has not yet had the opportunity to decide whether the outsourcing to a provider abroad is compliant with the professional confidentiality requirements.
Article 271 of the Swiss Criminal Code sanctions unlawful activities on Swiss territory on behalf of a foreign state. Under particular circumstances, this provision may limit the outsourcing of specific data from Switzerland to a provider abroad, if such data is ordered to be disclosed there during legal proceedings.
This Act also applies to cloud services providers if they provide derived communication services, such as email or other forms of digital communication, through their cloud platforms. On the request of investigation authorities and the approval of the competent courts, providers of derived communication have to enable surveillance measures within the scope of the warrant and, upon request, must provide marginal data of the transpired telecommunication.
The scope of application of the Act is limited to Switzerland and therefore does not have an impact similar to that of the US CLOUD Act.
The Swiss Financial Market Supervisory Authority (FINMA) introduced regulatory requirements on outsourcing with the Circular 2018/3 ‘Outsourcing – banks and insurers’. It is applicable to banks, securities dealers and insurance companies. FINMA aligned the circular to reflect its principle-based approach and drafted it technology-neutral so that financial institutions are able to implement outsourcing requirements while taking their specific business models and risks into consideration. Within this framework, the appropriate allowance must be made for the higher risks resulting from the outsourcing of activities outside Switzerland, especially with regard to company restructuring and resolution in Switzerland, which must be guaranteed. This Circular applies to cloud services procured by banks, securities dealers and insurance companies qualifying as substantial outsourcing in the meaning of the Circular.
The Circular 2008/21 ‘Operational risks at Banks’ includes key international standards for handling operational risks within the Swiss regulatory framework. The term ’operational risks’ includes a wide range of events extending from legal cases and fraud offences to incidents involving IT issues. The Circular further specifies the ‘Principles for the Sound Management of Operational Risk’ issued in June 2011 by the Basel Committee on Banking Supervision as six thematic principles. These principles require that responsibility for the management of operational risks lies with top management. They also require banks to have a systematic approach, systems and controls, reporting and an IT infrastructure that identify, limit and monitor these risks appropriately.
Where necessary, FINMA can, in the future, lay down specific requirements for managing operational risks in certain areas. Since in recent years within Switzerland attention has been drawn to the operational risks involved when handling electronic client data, FINMA has now defined additional rules in Annex 3 to the 2008/21 Circular. Nine principles are thus set out to preserve the confidentiality of electronic client data (ie, those of individuals (private clients)), and to properly manage the risks involved.
The revised Federal Act on Data Protection – which will be put in force during 2022 – applies to the processing of personal information by private persons and by federal authorities. There are numerous requirements that must be complied with, in the course of providing or sourcing cloud services. Personal data must be protected against unauthorised processing through adequate technical and organisational measures. Personal data may not be disclosed abroad if there are significant risks to the privacy of the data subjects associated with the said transfer, in particular owing to the absence of legislation that provides for adequate protection.
What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?
Breaches of professional confidentiality, of business or trade secrecy and of cross-border data transfer restrictions under articles 321, 162, 273 and 271 of the Swiss Criminal Code are generally punishable with a custodial sentence not exceeding three years or a monetary penalty, or in certain serious cases with a custodial sentence of not less than one year.
Failing to comply with a request of the surveillance office or unauthorised disclosure of a confidential surveillance under the Federal Act on the Surveillance of Mail and Telecommunication Traffic may result in a fine of up to 100,000 Swiss francs, unless the conduct is punishable as a more serious offence under another law.
What consumer protection measures apply to cloud computing in your jurisdiction?
From a data protection and privacy perspective, a cloud provider offering his or her services to a consumer (ie, a natural person), will be, as a general rule, the controller in relation to the personal data of the consumer and has therefore a direct responsibility towards the consumer to fulfil the requirements arising out of the applicable data protection laws.
Further, if a cloud provider uses for contracting purposes general terms and conditions, specific restrictions will have to be considered based on the case law of the Swiss Supreme Court. These include the rules of ambiguity and unusualness. In the case of ambiguous wording, pre-formulated general terms and conditions are interpreted against the author of the clauses. If a clause is qualified as unusual, applying an objective interpretation based on the principle of trust, said clause could be declared unenforceable.
According to article 120 of the Swiss Private International Law Act, contracts relating to the provision of ordinary goods and services intended for the personal or family use of the consumer, and which are not associated with the professional or commercial activities of the consumer, shall be governed by the law of the state in which the consumer is habitually resident, if:
A choice of law by the parties is not allowed. According to article 114 of the Act, an action brought by a consumer relating to a consumer contract as defined by article 120 may be filed, at the discretion of the consumer, before the Swiss court at the domicile or, in the absence of domicile, at the place of habitual residence of the consumer; or at the domicile or, in the absence of domicile, at the place of habitual residence of the supplier. The consumer may not waive the venue of their domicile or place of habitual residence in advance.
Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.
The professional confidentiality set out in article 321 of the Swiss Criminal Code applies to the medical, legal and auditing sectors. Banks must comply with the banking secrecy regulations. Banks and insurance companies have to implement the requirements imposed by FINMA (Circular 2018/3 Outsourcing – banks and insurers and Circular 2008/21 Operational risks at Banks).
Outline the insolvency laws that apply generally or specifically in relation to cloud computing.
In general, the Swiss Debt Enforcement and Bankruptcy Act applies in case of the insolvency of a cloud provider or its client. If a contract covering cloud services is not continued by the bankruptcy estate, segregation of physical objects in the possession of the bankruptcy estate, but owned by a third party, can be claimed.
In 2019, the Federal Council initiated a consultation on the adaptation of federal law to the developments in distributed ledger technology. One of the proposals includes a new article 242b of the Swiss Debt Enforcement and Bankruptcy Act. This provision provides a right to access the data under the control of an estate in bankruptcy if a third party can prove a statutory or contractual entitlement to the data. Costs associated with the access will have to be borne by the party requesting access to the data. The provision came into force on 1 August 2021.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research