For Switzerland, the digital economy is both a domestic priority and an opportunity to host global governance negotiations. The Digital Switzerland Strategy envisions Switzerland as one of Europe’s most digitally competitive countries, focusing on digitalisation-friendly regulation, digital sovereignty, and digitalisation in healthcare in 2023. On the international stage, Switzerland views digitalisation as a novel area of foreign policy. The Digital Foreign Policy Strategy 2021-24 identifies priorities to establish Switzerland as a global digital governance hub, as well as fields of action, such as digital self-determination.

But what do Switzerland’s domestic digital policies stand for? This additional DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Switzerland-specific points of emphasis.

• In data governance, Switzerland revised its data protection law, established a cybersecurity centre, and is negotiating on data transfers to the United States.

• In content moderation, Switzerland is developing a regulation for digital platforms, having adopted laws regarding online minor protection and support for local content.

• In competition policy, Switzerland is adapting merger control rules to address digital markets, after prohibiting unfair practices including parity clauses and geoblocking.

• Switzerland’s points of emphasis include artificial intelligence, Distributed Ledger Technology, the regulation of the gig economy, and the taxation of the digital economy.

Jump directly to the section that interests you most:

Discover the details of Switzerland's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Tommaso Giardini and Jennifer Pullen. Edited by Johannes Fritz.

In September 2023, the revised Federal Act on Data Protection (FADP) came into force. The Act maintains Switzerland’s approach of generally permitting data processing if it is not subject to a specific prohibition. There is thus no general requirement to ground processing on a legal basis, such as consent. Other singularities of the revised Act include that the appointment of a data protection officer is voluntary and that sanctions only target natural persons. Several revisions align the Swiss regime with the European Union (EU)’s General Data Protection Regulation: The revised Act only protects natural persons (not legal entities), enshrines the concepts of privacy by design and by default, introduces the right to data portability, requires data breach reporting and local representation, and obliges firms to conduct data protection impact assessments for high-risk processing. The revised data protection ordinance details requirements, while a separate ordinance regulates data protection certification. In September 2023, Switzerland also ratified the protocol amending the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 

Regarding cybersecurity, Switzerland established the National Cyber Security Centre in 2019 to act as the first contact point for cybersecurity issues and coordinate the implementation of the National Cyberstrategy. In January 2024, the centre will be transformed into the Federal Office for Cyber Security. In January 2023, the revised telecommunication ordinance entered into force, introducing several cybersecurity obligations. Internet Service Providers must implement detective cybersecurity measures, install systems to block connections enabling malicious activities, and establish specialised units to counter cyberattacks. Operators of 5G infrastructure must implement an information security management system and uphold specific cybersecurity standards. All telecommunication providers must notify cyberattacks that could impact over 10,000 individuals to the National Emergency Operations Centre. In January 2024, the Federal Act on Information Security will be implemented. While the Act focuses on government cybersecurity, a revision adopted in September 2023 requires critical infrastructure operators to disclose cyberattacks to the National Cyber Security Centre. The obligation applies to Switzerland-based providers of cloud computing, search engines, digital security and trust services, and data centres, as well as manufacturers of certain hardware or software used in critical infrastructures. 

Switzerland does not mandate data localisation. Data transfers, which include the remote access to data residing in Switzerland from abroad, are generally permitted to countries with appropriate data protection levels. Switzerland maintains a list of countries whose data protection level it deems adequate, based on criteria enshrined in the data protection ordinance. Since the revision of the FADP, the Federal Council is in charge of adequacy decisions instead of the FDPIC. Data transfers to other countries require additional safeguards, such as contractual clauses (to be notified to the FDPIC), standard contractual clauses (to be approved by the FDPIC), or binding corporate rules (to be approved by the FDPIC). Transferors that rely on safeguards must conduct data transfer impact assessments. Finally, Switzerland foresees derogations in which neither adequacy nor safeguards are necessary, including the data subject’s explicit consent to the specific transfer.

Switzerland is still deliberating its approach to data transfers to the United States (US), closely following EU-US developments. In September 2020, the FDPIC determined that the Swiss-US Privacy Shield does not provide adequate data protection, shortly after the Court of Justice of the EU invalidated the EU-US Privacy Shield. The EU and the US subsequently negotiated the EU-US Data Privacy Framework to replace the Privacy Shield. In October 2022, the US issued the Executive Order On Enhancing Safeguards for US Signals Intelligence Activities, establishing an international Signals Intelligence Redress Mechanism for designated “qualifying states”. In July 2023, the EU adopted its adequacy decision for the US. The FDPIC acknowledged these developments in a statement mentioning that Switzerland and the US are currently in negotiations. The Federal Council has yet to issue an adequacy decision for the US, while the US Attorney General has yet to designate Switzerland as a “qualifying state” for the Signals Intelligence Redress Mechanism. Meanwhile, the Swiss-US Data Privacy Framework Principles went into effect in July 2023 – without consequences until negotiations conclude. 

The FDPIC regularly conducts data protection investigations. In 2022, the FDPIC launched an investigation into Oracle’s data tracking practices, scrutinising allegations that Oracle collects personal data through technologies such as cookies, pixels, cross-device tracking, and JavaScript code without consent. In July 2023, the FDPIC included software provider Xplain in its investigation regarding the access by employees of the Federal Office of Customs and Border Security to the national search register of the Federal Office of Police. In May 2023, the FDPIC concluded its investigations into dating app ONCE, finding that its data deletion procedure was inadequate and issuing recommendations, to which ONCE agreed.

Switzerland is currently developing a regulation for large communication platforms. The Federal Council instructed the Federal Department of Environment, Transport, Energy and Communications to prepare a consultation draft by March 2024. The draft should include content moderation obligations, for instance requiring platforms to establish user reporting mechanisms for hate speech, depictions of violence, and threats. Furthermore, the draft should focus on user speech rights, demanding that platforms implement review mechanisms for content deletion and user blocking decisions. In addition, the draft should cover consumer protection, such as advertisement labelling and parameter disclosure, as well as requirements for foreign platforms to establish a Swiss contact and legal representation. 

In September 2022, the Federal Act on Minor Protection in Film and Video Games was adopted, for which the Federal Council is still to decree the specific implementation date. The Act mandates that all providers of on-demand and platform services, as well as video games, must establish age-verification systems to prevent minors from accessing inappropriate content. Furthermore, the Act requires providers to specify the recommended age for content and provide content descriptors. 

In January 2024, the revised Federal Act on Film Production and Film Culture will be implemented. The revision requires providers of streaming services to invest 4 per cent of their turnover in Switzerland to support local content production. Streaming providers can alternatively pay the amount as a levy to the Federal Office of Culture. Furthermore, the revision requires streaming providers to reserve 30 per cent of their catalogue for European content. This content must be specially marked and easily findable.

Switzerland’s content moderation enforcement is not documented by public, official sources. Regarding user speech rights, the Federal Supreme Court ruled in November 2021 that the deletion of comments by the Swiss Broadcasting Corporation on their online fora and social media channels is subject to legal scrutiny. Whether the comment author’s freedom of expression is unlawfully infringed is to be examined by the Independent Complaints Authority for Radio and Television (after mediation attempts). 

In January 2022, the revised Federal Act on Unfair Competition came into force. The revised Act prohibits parity clauses between online booking platforms and accommodation providers. The Act further prohibits three practices that disadvantage Swiss online consumers based on their nationality or location: Unjustified price discrimination, the regional restriction of access to online content (geoblocking), and the redirection to different website versions. 

In May 2023, the Federal Council adopted its communication on the partial revision of the Federal Act on Cartels. The revision aims to modernise merger control rules to address the unique features of digital markets. In particular, the revision proposes to shift from the current “qualified market dominance test” to the “Significant Impediment to Effective Competition” test. This extends merger control beyond mergers that establish or enhance a dominant position in a market, to all mergers that significantly hinder competition (regardless of market dominance). 

Switzerland’s competition enforcement does not focus on digital service providers, but the Competition Commission has investigated the telecommunications sector. In May 2022, the Federal Administrative Court upheld the Competition Commission’s CHF 71.8 million (approx. USD 81.5 million) fine against Swisscom and Blue Entertainment/Cinetrade. Namely, Blue Entertainment/Cinetrade transferred exclusive live broadcasting rights for football and ice hockey matches on pay TV to Swisscom (operating through Teleclub). The Competition Commission found that Swisscom’s comprehensive access to football and ice hockey broadcasts disadvantaged other television platforms. 

In November 2023, the Federal Council tasked the Federal Department of Environment, Transport, Energy and Communications with developing an overview of potential regulatory approaches regarding artificial intelligence (AI). The overview, due by the end of 2024, is meant to provide a basis for a future regulatory proposal on AI. The overview will focus on fundamental rights, identify approaches compatible with both the EU's AI Act and the Council of Europe's AI Convention, and take into account technical standards and financial implications. 

Throughout 2023, the Federal Data Protection and Information Commissioner (FDPIC) raised data protection concerns regarding AI. In November 2023, the FDPIC issued a statement underlining the applicability of the Federal Act on Data Protection to manufacturers, providers and users of AI applications. In August 2023, the FDPIC published a joint statement with ten other data protection authorities urging social media platforms to protect users against data scraping, including for AI model training. In April 2023, the FDPIC issued a guideline for AI applications, emphasising that providers must inform users transparently and understandably of the purpose of data collection and processing.

Switzerland has spearheaded the regulation of Distributed Ledger Technology (DLT) with the Federal DLT Act, which was fully implemented in August 2021. The Act adjusted various federal laws to provide a coherent regulatory basis for the technology. In particular, the Act introduced a novel licensing category for trading venues specialising in digital assets, known as DLT Trading Facilities. Moreover, it created a “FinTech Licence”, loosening regulatory requirements to support novel financial technology services, such as digital asset custody services. Finally, the Act introduced the concept of “uncertificated register securities” and enabled corporations to issue tokenised shares. 

Switzerland’s regulation of the gig economy currently unfolds on the cantonal level. Several Cantons have restricted online short-term rentals and established labour protections for online platform workers. 

Cantonal restrictions on short-term rentals started in 2018, when Canton Geneva limited repeated short-term rentals on online platforms to 90 days per year. In 2022, Canton Ticino amended its housing law to designate individuals who rent apartments with fewer than four beds for more than 90 days per year on online platforms as commercial landlords, requiring them to obtain permits. Canton Ticino also amended its tourism law, mandating (online) accommodation providers to register with a unique identification number. In the same year, Canton Bern adopted a revision of its construction ordinance restricting rentals in specific city areas. In March 2023, Canton Lucerne adopted a popular initiative enacting a yearly 90-day limit on short-term rentals.

In May 2022, the Federal Supreme Court upheld Canton Geneva’s classification of Uber as a transport company. This resulted in the classification of Uber drivers as employees, requiring the firm to pay social security contributions and provide employment protection. The Supreme Court confirmed its verdict in a February 2023 ruling regarding old age and disability pension scheme payments. 

Switzerland has adopted rules affecting both the indirect and the direct taxation of the digital economy. In June 2023, the Swiss Parliament adopted an amendment to the Value Added Tax (VAT) Act. The amendment redefines "electronic platforms" as entities facilitating connections between vendors and customers. The amendment considers vendors to make VAT-exempted sales to platforms and considers platforms themselves as the sellers of items to customers. Platforms must thus collect VAT from customers rather than vendors. 

Regarding the direct taxation of the digital economy, Switzerland participates in the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting, which has a strong digital component. In January 2022, the Federal Council announced that Switzerland would implement Pillar 2 of the Inclusive Framework, the minimum tax rate of 15 per cent for multinational companies with an annual turnover over EUR 750 million, by 1 January 2024. To uphold the timeline, the Federal Council instated a federal supplementary tax targeting in-scope companies subject to Cantonal tax rates below 15 per cent. This required a constitutional change, which was approved by popular vote in June 2023. In future, a temporary ordinance and then a federal law will regulate the minimum taxation.