datenrecht.ch – das Datenrechts-Team von Walder Wyss

Hinweise des EDÖB zu Wearables

David Vasella — Wed, 25 Mar 2026 16:19:05 +0000

On 25.3.26, the FDPIC published on his website Notes on wearables published. They are aimed at users – buyers and parents who track their children.

The following requirements and recommendations can be derived from the information:

Manufacturer and supplier

Privacy by Design
Encrypting data transfers
Security updates, vulnerability assessment
Purpose limitation: Use of data for marketing or product development only with express consent
Transparent data protection declarations
Designate contact person for data protection inquiries; representation in Switzerland if necessary

User (buyer)

Read privacy policy and terms and conditions
Check where data is stored
Restrict app permissions to what is functionally necessary, reject or revoke unnecessary ones
Install updates regularly

Users of smart glasses and camera-enabled wearables

Informing third parties about recordings and obtaining consent
Refrain from undercover recordings (criminal law)

Parents

Act in the interests of the child and respect their privacy
Children cannot consent to their own surveillance

You will largely agree with this, except on one point:

Under Swiss law, the use of data for marketing purposes or for the development of own products requires the express consent of the data subject (see also Cookie Guide).

The processing of particularly sensitive personal data only requires consent if the principles of data processing are violated or such data is passed on to other data controllers (see e.g. here). The controller may therefore generally use health data for marketing purposes and product development without consent, including with profiling, also using machine learning.

The FDPIC does not justify the consent requirement in his guidance, but is likely to consider the processing of health data for the purposes mentioned as disproportionate from which he derives a requirement for consent.

Whether this argument is admissible or rather the free purpose of the person responsible violated, does not need to be discussed in detail here (see here). In any case, however, disproportionality could be only in individual cases and all circumstances would have to be taken into account, including

the cost of the wearable or the associated services,
the question of whether or not sensor data for marketing purposes uses potential health data as such. Upselling in an app based on training data, for example, uses data that allows conclusions to be drawn about the state of health, but the controller does not have to use this information content. If he does not do so, his processing cannot be equated with the processing of health data;
Opt-out or other control options for the user;
whether product development or marketing measures are also in the well-understood interest of the user.

It is also interesting to note the FDPIC’s reference to the Cookie guide. The FDPIC assumes that the use of non-essential cookies tends to be disproportionate and then requires justification. This is questionable in such general terms. In any case, however, the FDPIC also expressly leaves out the Justification by overriding interests open, and the same should apply here.

As a result, those responsible for data processing via wearables are advised to at least provide an opt-out right, i.e. a low-threshold option for limiting the use of sensor data. In this case, overriding interests are more likely or – which amounts to the same thing – a classification as proportionate.

Interpellation Molina (26.3414): Umsetzung der KI-Konvention des Europarats in der Schweiz

David Vasella — Sat, 21 Mar 2026 08:40:02 +0000

Interpellation Molina (26.3414): Implementation of the Council of Europe’s AI Convention in Switzerland

Submitted text

On March 27, 2025, Federal Councillor Albert Rösti signed the Council of Europe Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law on behalf of Switzerland. On February 12, 2025, the Federal Council decided to ratify the convention and instructed the FDJP to draw up a «minimum draft» by the end of 2026. However, the Federal Council’s communications to date on the implementation of the AI Convention remain conspicuously vague. While technological development in the field of AI is progressing at a rapid pace and AI systems are increasingly being used in areas relevant to fundamental rights, the Federal Council predominantly on legally non-binding instruments such as declarations of commitment and codes of ethics. It is questionable whether this approach does justice to the protection mandate of the Convention.

The Council of Europe’s AI Convention obliges signatory states to ensure the protection of human rights, democracy and the rule of law throughout the life cycle of AI systems. In view of the rapid development of AI technologies and their increasing importance in key areas of people’s lives, fundamental questions arise as to the seriousness and effectiveness of the planned implementation. The exclusion of the private sector is particularly worrying. Although the Convention itself allows for this flexibility, numerous civil society organizations criticize the fact that such an exception considerably weakens the Convention. Against this background, I would ask you to answer the following questions:

What specific amendments to the law are provided for in the consultation draft by the end of 2026, namely in the areas of transparency, data protection, non-discrimination and supervision?

What evidence is the Federal Council aware that declarations of commitment and codes of ethics are an effective instrument for protecting the fundamental rights of the population when AI systems are used by private actors?

How does the Federal Council ensure, that the chosen «minimum variant» of implementation will not lead to Switzerland becoming a location with a lower level of protection in international comparison – especially compared to the EU with its AI Act?

Anpassung der KVV, Vernehmlassung: Datenaustausch zwischen Kantonen und Krankenversicherern

David Vasella — Sat, 21 Mar 2026 08:28:06 +0000

Parliament has an amendment to the KVG was adopted in June 2024 with the aim of electronic data exchange between municipalities or cantons and health insurers, the clarification of residence issues when calculating premiums and the elimination of „phantom insureds“ from the risk equalization system. The Federal Council has now submitted the explanatory report on the implementing provisions in the KVV for consultation in March 2026:

The amendments to the ordinance are due to come into force on June 1, 2027.

Among other things, the FDHA is to be authorized to regulate the data exchange procedure in a separate ordinance. The data exchange should cover the following areas:

Checking the insurance obligation, determining the canton of employment of cross-border commuters and the place of residence of the insured person
Information from the cantons to insurers about double and multiple insurance policies
Insured persons who cannot be contacted and whose insurance obligation is to be suspended
Determination of the number of insured persons pursuant to Art. 16a para. 1 let. b KVG, in particular for the identification of asylum seekers, temporarily admitted persons and persons in need of protection without a residence permit who receive social assistance

Information on the receipt of social assistance is particularly sensitive personal data within the meaning of the FADP. Until now, cantons have not passed on such data to insurers due to a lack of legal basis. In the course of the aforementioned KVG revision, Art. 16a para. 2 KVG was therefore created as the formal legal basis for this data transfer.

The bill also regulates a staggered procedure for insured persons who cannot be contacted up to the exclusion of persons who cannot be contacted from the pool of insured persons.

EuGH, Rs. C‑526/24 (Brillen Rottler): Rechtsmissbräuchlichkeit eines zweckwidrigen Auskunftsbegehrens

David Vasella — Fri, 20 Mar 2026 06:58:01 +0000

The ECJ had ruled in Rs. C‑526/24 in the case of Brillen Rottler to assess whether a first-time request for information can be considered „excessive“ within the meaning of Art. 12 para. 5 GDPR. This is true, and the requirements are not even far removed from Swiss law – the inappropriateness of the request. Another question again concerned compensation for damages.

The background to this was a request for information from a person living in Austria who had registered for a newsletter from Brillen Rottler, an optician company in Germany. Almost two weeks later, this person submitted a request for information, which Brillen Rottler rejected as abusive. The person concerned subsequently continued to demand information and damages of EUR 1,000 – clearly a systematic approach. In the following proceedings, the Arnsberg Local Court referred eight questions to the ECJ for a preliminary ruling.

Inappropriate requests for information

The ECJ first confirms that the Abuse of a request for information should not be assessed solely on the basis of the number of requests The frequent repetition is only mentioned as an example in Art. 12 (5) GDPR:

26 In addition, the second sentence of the first subparagraph of Article 12(5) GDPR states that requests may be excessive „in particular in the case of frequent repetition“. The accumulation of requests by a person may therefore be an indication that they are excessive […]. However, as the Advocate General […] has emphasized, since frequent repetition is only mentioned as an example in this provision, the classification of a request for information as „excessive“ does not require that the request in question must necessarily be related to the submission of several requests by the same data subject.

27 In view of an interpretation of Art. 12 para. 5 GDPR based on the wording, it can therefore not be ruled out that a first request for information can be regarded as „excessive“ within the meaning of this provision.

The exception is To be interpreted narrowly:

35 It follows that it is possible to consider a first request for information to the controller under Art. 15 GDPR as „excessive“ within the meaning of Art. 12(5) GDPR. However, since the term „excessive requests“, as can be seen from para. 29 of the present judgment, must be interpreted narrowly, a controller can only invoke such an excessive character in exceptional cases and the standards for classifying a first request for information as „excessive“ must be high, as stated by the Advocate General in point 34 of his Opinion. Furthermore, it should be noted that according to Art. 12 (5) subpara. 2 GDPR, the controller must expressly provide proof of the excessive nature.

But even if the exception is to be interpreted narrowly: Union law recognizes a General prohibition of abuse of rights:

30 However, it follows from the case-law of the Court of Justice on the interpretation of the concept of „excessive requests“ in Article 57(4) GDPR, which is applicable to the present case […], that Article 12(5) GDPR expresses a general principle of Union law according to which individuals may not rely on Union law standards in a fraudulent or abusive manner […]. The application of Union law cannot go so far as to protect processes that serve an abusive purpose […].

Abuse of rights presupposes two elements – that the regulatory objective of the right to information would be missed and the person concerned pursues an abusive intention:

36 Secondly, with regard to the circumstances under which the data subject’s first request for information can be classified as „excessive“ within the meaning of Art. 12(5) GDPR and thus constitute an abuse of rights within the meaning of the case law cited in recitals 23 and 30 above. 23 and 30 above, two elements are required to prove abusive conduct, namely, on the one hand, a set of objective circumstances showing that, despite formal compliance with the conditions laid down in the Union legislation, the objective of that legislation has not been achieved and, on the other hand, a subjective element consisting of the data subject’s intention to obtain an advantage resulting from the Union legislation by artificially creating the conditions for obtaining it. Such a classification must also take into account all the facts and circumstances of the individual case […].

In particular, requests that pursue a purpose contrary to data protection and are made with the intention of enrichment appear to be an abuse of rights – the ECJ is pleasingly close to Swiss law here. The Data protection purpose of the right of access is defined by the ECJ as follows, again in accordance with Art. 25 FADP:

45 […] may be regarded as „excessive“ within the meaning of that Article 12(5) if the controller demonstrates, having regard to all the relevant circumstances of the case, that that request […] was not made in order to become aware of the processing of those data and to verify its lawfulness so that it can subsequently protect its rights under the GDPR, but with abusive intent […].

In particular, a request for information would therefore be an abuse of the law if the person responsible just set a trap shall:

45 […] as to artificially create the conditions for obtaining an advantage resulting from the GDPR.

The assessment of abuse of rights lies with the substantive court. This may also take public information into account, which provide information about the motive of the person concerned:

45 […] The fact that, according to publicly available information, the data subject has made several requests for access to his or her personal data, for example, followed by claims for damages against various controllers, may be taken into account for the purpose of establishing such an abusive intention.

Compensation possible in the event of a breach of the right to information

Art. 82 para. 1 GDPR grants a claim for damages „for breach of this Regulation“. From this, the ECJ concludes that unlawful data processing is not required, but merely a violation of the GDPR, e.g. the right of access

48 According to Art. 82(1) GDPR, a person who has suffered material or non-material damage „as a result of an infringement of this Regulation“ is entitled to compensation from the controller. It should be noted that this provision makes no reference to „processing“, so that the claim for compensation cannot be limited to damage resulting from the processing of personal data.
[…]
54 It follows from this that the data subject can also invoke the right to compensation provided for in Art. 82 GDPR in the event of a breach of the GDPR, where no data processing is implied as such.

55 Accordingly, the answer to the fifth and sixth questions is that Article 82(1) GDPR must be interpreted as granting the data subject a right to compensation for the damage resulting from a breach of the right of access under Article 15(1) GDPR.

Interruption of causality

The ECJ confirms its case law according to which the mere loss of control over personal data or uncertainty about the processing can constitute non-material damage. There is no de minimis threshold. However, the data subject must prove that they have actually suffered damage and that there is a causal link between the breach and the damage. This causal link can be be interrupted by the behavior of the person concerned.

The ECJ raises a second line of defense against abusive requests for information: An interruption occurs, among other things, if the data subject has created the loss of control or uncertainty himself by transmitting data in order to be able to assert claims afterwards (i.e. an interruption through gross self-culpability, so to speak):

65 In order to provide the referring court with a useful answer, it must also be pointed out that the causal link between the alleged infringement and the alleged damage may be broken by the conduct of the person concerned, provided that that conduct proves to be the decisive cause of the damage. A corresponding action can consist, among other things, of a decision by the injured person, but only if this decision was not mandatory for him […].

66 It also follows […] that the existence of a causal link […] is a sine qua non for a claim for damages […]. Consequently, the data subject […] cannot be granted compensation for damage allegedly suffered as a result of the loss of control over his personal data or his uncertainty as to the existence of processing of those data if the causal link is broken as a result of that person’s conduct because said loss of control or said uncertainty was brought about by the decision of the person concerned, to transmit this data to the controller with the intention of artificially creating the conditions for the application of this provision.

Motion Müller (26.3044): Rechenschaft über unternehmensinterne Datenflüsse und Datenbestände

David Vasella — Wed, 04 Mar 2026 18:49:11 +0000

Motion Müller (26.3044): Accountability for internal company data flows and databases

Submitted text

The Federal Council is instructed to submit a bill to Parliament to amend the Swiss Code of Obligations (CO), which:

Companies that are subject to an ordinary audit are obliged to disclose the following in the management report Accountability for their internal data flows and their databases to file.

To this end, Article 961c para. 2 CO is to be supplemented by a paragraph requiring the disclosure of the data flow and the company’s key data sets.

Justification

Initial situation and need for action
Today, data is a key economic production factor. It is the basis for business decisions, innovation, increased efficiency and new business models. Despite this importance many companies do not have a systematic overview of their internal data flows and their databases.

This lack of transparency leads to increased legal, organizational and security-related risks, particularly in the areas of data protection, information security, compliance and corporate governance. At the same time, it makes it difficult for investors, supervisory authorities and other stakeholders to realistically assess the economic situation of a company.

The current Code of Obligations does not yet include a general obligation to account for the handling of data. This gap stands in contrast to national and international developments, which are increasingly focusing on transparency, accountability and data governance.

2. integration into the existing legal system
The handling of data is currently regulated fragmentarily in Swiss law, including by data protection law, intellectual property law, competition law and sector-specific decrees. However, there is no overarching, company-specific transparency obligation.

With a selective Addition to Article 961c CO this gap can be closed without affecting existing special laws. Disclosure is made in the Management report and thus supplements existing disclosures on risk assessment and the internal control system.

It makes sense to provide a simple overview in the sense of a Cockpits across all databases. It is based on data that is already available as part of the internal control system, risk management or, where applicable, special statutory documentation obligations. A This does not result in additional costs.

The proposed regulation strengthens the Corporate Governance and increases the maturity of corporate management. It promotes a more conscious, secure and economically efficient handling of data.

At the same time, it increases the Attractiveness of the business location Switzerland. In addition, the measure supports the cross-border movement of data and capital and positions Switzerland as a reliable, competitive digital and business location.

A targeted amendment to the Code of Obligations can significantly improve transparency in the handling of data. The motion contributes to strengthening data governance, minimizing risk and securing Switzerland’s long-term competitiveness without creating new parallel regulations.

GPK, Jahresbericht 2025: Datenaustausch FINMA/PUE/BAG im Bereich Krankenzusatzversicherung

David Vasella — Fri, 27 Feb 2026 11:16:29 +0000

The Control Committees (CC) and the Control Delegation (CCDel) of the Federal Assembly have published the 2025 Annual Report (BBl 2026 396). Among other things, the report on an investigation by the GPK‑S into supervisory activities in the area of supplementary health insurance is interesting.

Since 2020, the Swiss Financial Market Supervisory Authority (FINMA), price monitoring (PUE) and the Federal Office of Public Health (BAG) based on a Memorandum of Understanding (MoU). The question was whether there was a sufficient legal basis for this. An expert opinion prepared by the Federal Office of Justice (FOJ) confirmed that the previous exchange took place on a sufficient legal basis, Art. 39 para. 1 and 1bis FINMASA, Art. 34 para. 5 KVAG and Art. 62 KVAV:

On behalf of the Federal Council, the PUE and the FOPH intensified their cooperation with FINMA in the area of supplementary health insurance and formalized it from 2020 in a Memorandum of Understanding (MoU). The GPK‑S took note of the overall positive results of the increased cooperation – particularly in the area of on-site inspections and the supervision of service providers’ tariffs. The FOJ’s legal investigations also confirmed that the intensification of cooperation between the three authorities to date was lawful. The applicable law gives FINMA, the PUE and the FOPH sufficient leeway to exchange information in the form of information and documents as provided for in their MoU.

With the new DSG Trade secrets of legal entities as particularly sensitive data within the meaning of Art. 57r para. 2 let. b RVOG. The disclosure of such data by federal bodies requires a Basis in a law in the formal sense required (see here):

Whether the existing legal basis – in particular Art. 39 FINMASA – is sufficient for every exchange between FINMA, the PUE and the FOPH is unclear, which is why the CPC‑S recommends that an explicit provision on data disclosure be included in a future revision of FINMASA:

However, the Commission found that it would be useful to re-examine the legal basis for the disclosure of legal entities’ data relating to trade secrets. With the entry into force of the new Data Protection Act (DPA) on 1 September 2023, the requirements for the standard level of the legal basis required for the disclosure of such data were increased. Since then, this data has been considered particularly worthy of protection within the meaning of Article 57r paragraph 2 letter b of the Government and Administration Organization Act (RVOG), so that federal bodies may only disclose this data if «a law in the formal sense provides for this» (Art. 57s para. 2 RVOG). Against this background and depending on the future requirements for cooperation between FINMA, the PUE and the FOPH, it should therefore be examined whether a corresponding provision should be included in Article 39 FINMASA. The SIF has assured the GPK‑S that it will examine the corresponding need for action on the basis of the FOJ’s legal analyses in a future revision of the law.

Heimliche Gesprächsaufzeichnung als Beweismittel im Strafverfahren zugelassen

David Vasella — Thu, 26 Feb 2026 15:36:09 +0000

The Geneva Chambre pénale de recours had to deal with the question of whether a secretly made audio recording of a medical conversation used as evidence in criminal proceedings may be used. It confirmed the usability despite a possible violation of Art. 179ter SCC (decision of January 8, 2026, ACPR/27/2026).

The case concerned an allegation of sexual assault of a patient by a doctor in Geneva. The patient returned days later for a wound check and recorded her conversation with the doctor, in which he admitted the offense.

For evidence collected by private individuals, there is no explicit regulation on usability in the event of inadmissible procurement. However, the Federal Supreme Court has developed a test (1B_91/2020, March 4, 2020, E. 2.2):

Could the criminal authorities have obtained the evidence legally?
Does a balancing of interests justify the exploitation?
There must then have been sufficient grounds for suspicion of a serious criminal offense at the time of the recording.

In this case, the Geneva Chamber affirmed the usability:

The public prosecutor’s office could have ordered technical monitoring of the conversation if it had been aware of the incidents at an early stage.
Sexual assault is a catalog offense under Art. 269 para. 2 of the Code of Criminal Procedure and entitles the court to order surveillance.
The principle of subsidiarity StPO 269 I lit. c: other measures must have remained unsuccessful or be pointless) does not apply to private recordings (6B_786/2015, February 8, 2016, E. 1.3.1).
The public interest in establishing the truth outweighs the personal rights of the accused:
- Sexual assault is a crime that violates an extremely important legal right: sexual integrity;
- the recording was significant for the credibility assessment of the parties’ statements;
- there was already sufficient suspicion at the time of admission, even if the criminal complaint had not yet been filed.

The background was not medical confidentiality (Art. 321 StGB), because the patient and not the doctor is the owner of the secret.

Revision des NDG: Datenhaltung, DSFA und Auskunftsrecht

David Vasella — Thu, 26 Feb 2026 15:02:21 +0000

On January 28, 2026, the Federal Council adopted the dispatch on the amendment to the Intelligence Service Act (ISA) and submitted it to Parliament:

The revision will be carried out in several packages; an additional package on cyber threats is planned for consultation in mid-2026.

The bill is intended to respond to the heightened threat posed by terrorism, extremism, espionage and cyberattacks and also contains, among other things, innovations in data protection law – the data storage of the Federal Intelligence Service (FIS) is being redesigned, the right to information is being aligned with the FADP and a data protection impact assessment (DPIA) is being carried out in accordance with Art. 22 FADP.

Data management

Previously, the NDG listed the information systems of the FIS, but this is now regulated, Which categories of data for which tasks may be processed, how incoming data is to be checked, the purposes of processing, the access authorizations and quality assurance measures for the anonymization or deletion of data that is no longer required.

An apparent deviation from the DSG remains: Incorrect data may be processed if they are marked accordingly, because even incorrect information can be analytically relevant:

Art. 51 Verification of correctness

1 The FIS checks the raw data for accuracy before marking it as working data.

2 It may process personal data, including particularly sensitive personal data that has been found to be incorrect in terms of content, insofar as this is necessary to fulfill its duties in accordance with Article 6.

3 It marks the data in question as incorrect in terms of content.

On closer inspection, however, this is not an exception, but a declaratory statement: if information is objectively incorrect, but its incorrectness is precisely the subject of the processing – which excludes the error about the incorrectness – the information processed in this way is not functionally incorrect, just as in the case of abstractly incorrect archive data, the statement of which is not intended to be this information content, but the fact that this information was recorded at a certain point in time.

Access right

The draft adapts the regulation of the right to information. The FADP alone applies to administrative data. In principle, it also applies to intelligence data, but with two special features:

Postponement of the information: The FIS may continue to postpone the provision of information even if the person making the request is not listed (Art. 63a para. 3 let. b FNIA). However, it no longer has to order the deferral in every case. The data subject may request the FDPIC to review the lawfulness of the data processing and the deferral (Art. 63b FNIA) and then apply to the Federal Administrative Court for a further review (Art. 65 FNIA).
Refusal or restriction of information: If the FIS refuses or restricts the information, it must issue a reasoned ruling (Art. 63a para. 2 FNIA), which can be appealed through the ordinary courts.

DSFA

A DPIA was prepared for the draft, which identified the following main data protection risks:

the „uncanny experience“: Data subjects know or suspect that the FIS is collecting data about them without knowing why;
the violation of legal requirements, whereby the Quality assurance and processing barriers are undermined;
Work products based on outdated intelligence data, which in turn can result in far-reaching measures;
Transfer of archive documents to the Federal Archives, that still openly name sources worthy of protection.

Taking into account the countermeasures, the DPIA no longer identified any high data protection risks. In the area of data security, spying on information, espionage and eavesdropping remain high residual risks. In his opinion of January 28, 2025, the FDPIC assessed the DPIA as fundamentally positive.

Tasks and measures of the FIS

The revision package also provides for,

the remit of the NDB to the entire cyberspace and to establish a competence for maintaining contacts with operators of critical infrastructures;
a new procurement measure requiring approval for Information from financial intermediaries with a view to investigating terrorist financing and espionage networks;
extend the scope of procurement measures requiring authorization to violent extremism;
a Explicit legal basis for profiling, including high-risk profiling;
strengthen the internal quality assurance unit, which, among other things, monitors the Use of adaptive programs (algorithms) for the processing of personal data during the entire period of use.

The measures requiring approval remain temporary and require approval by the Federal Administrative Court and political clearance by the Head of the DDPS.

These measures were met with criticism during the consultation process:

Go to Measures vis-à-vis financial intermediaries the Bankers Association and Economiesuisse demanded a more precise legal basis in the consultation procedure, stating that Art. 26 para. 1 let. f E‑NDG did not release the banks from bank client confidentiality. The FAC criticized the open wording of the provisions and lacked implementing provisions comparable to Art. 285 StPO.
The Extension of measures requiring approval to violent extremism. Some cantons and Privatim warned of a «chilling effect» on freedom of assembly and freedom of expression and rejected the extension.
With regard to the Professional secrecy the Federal Council has dispensed with the deletion of Art. 28 para. 2 NDG provided for in the preliminary draft; this provision, according to which no procurement measures requiring authorization may be ordered against persons with professional secrecy (including the legal profession) as third parties, remains in place.

Supervision

The tasks of the Independent Supervisory Authority for Radio and Cable Intelligence (UKI) are transferred to the Independent Supervisory Authority for Intelligence Activities (AB-ND), the UKI will be abolished. This was welcomed in the consultation process; however, the institutional connection remained controversial. Some cantons and privatim had called for the AB-ND to be attached to a department other than the DDPS – e.g. the FDJP – or for complete administrative independence, while privatim also called for the United Federal Assembly to elect the head of the authority; the Federal Council did not agree.

EDÖB und weitere Behörden: gemeinsame Erklärung zu KI-generierten Bildern

David Vasella — Wed, 25 Feb 2026 08:41:00 +0000

On February 23, 2026, 61 data protection authorities including the FDPIC and the EDPB, the CNIL (FR) and the ICO (UK) published a joint statement on AI-generated images:

Joint declaration on AI-generated images (EDÖB, 23.2.2026)
Joint Statement on AI-Generated Imagery and the Protection of Privacy (PDF)
EDPB media release (23.2.2026)

The declaration is aimed at developers and operators of generative AI. The background to this is the fact that it is becoming increasingly easy to generate realistic images and videos of people without their knowledge, including intimate depictions and defamatory content. The declaration therefore formulates four Expectations of organizations that develop or use generative AI:

Protective measures against the misuse of personal data and the creation of non-consensual intimate images, in particular depictions of children
Transparency regarding capabilities, protective measures, permissible uses and consequences of misuse of AI
Deletion mechanisms so that those affected can quickly request the removal of harmful content
Measures for the special protection of children

The AI Act contains a labeling requirement for deepfakes (applicable from August 2026). In Germany, for example, there is a draft bill for a new Section 201b of the Criminal Code that would criminalize deepfakes:

§ Section 201b Violation of personal rights through digital forgery

(1) Anyone who violates the right of personality of another person by using media content produced or modified by computer technology that violates the Appearance of a true-to-life image or sound recording the external appearance, behavior or verbal statements of this person, to a third person. makes accessible, shall be punished with imprisonment of up to two years or a fine. The same applies if the offense pursuant to sentence 1 relates to a deceased person and their personal rights are seriously violated as a result.

(2) Anyone who makes the media content accessible to the public in the cases referred to in subsection (1) sentence 1 or makes media content accessible that relates to an event in the highly personal sphere shall be liable to a custodial sentence not exceeding five years or to a monetary penalty.

(3) Paragraph 1 sentence 1, also in conjunction with paragraph 2, shall not apply to acts performed in the exercise of overriding legitimate interests in particular for art or science, research or teaching, reporting on current events or history or for similar purposes.

(4) The image or sound carriers or other technical means used by the offender or participant may be confiscated. § Section 74a shall apply.
[Amendment of Section 205 and the Code of Criminal Procedure]

In Switzerland, the National Council rejected the Motion Mahaim (23.3563) on the regulation of deepfakes in public spaces in May 2025. Depending on the subject matter of deepfakes, however, criminal law provisions, civil law protection of personality rights, fair trading law, etc. may apply.

Neuer Prompt: Data Protection Role Model

David Vasella — Tue, 24 Feb 2026 13:30:41 +0000

A new prompt in our Prompt Library supports the classification of data processing entities as controllers, joint controllers or processors under Swiss law. As usual, the prompt is available from us and can be used freely, and is available as CustomGPT.

The bot guides you through the examination of data protection roles via a predefined decision tree, which includes the identification of the processing and the bodies involved, the determination of primary responsibility, the examination of order processing with four main criteria and three doubtful case rules and the examination of joint responsibility. Constellations such as body leasing are also taken into account.

Because OpenAI limits the instructions of a CustomGPT to 8,000 characters and the complete logic with all questions, options and a template for documenting the result comprises around 10,000 characters at the end, the prompt is split up:

Instructions (approx. 3,400 characters): Rules of conduct and brief overview; controls how the bot proceeds;
Knowledge document (approx. 10,000 characters): Complete audit logic, criteria, skip logic and protocol template – controls, what the bot checks.

We have also deposited the publicly accessible essay by David Rosenthal on data protection roles as know-how, Controller or processor: The crucial question under data protection law, in: Jusletter June 17, 2019 (who, of course, assumes no responsibility for our prompt or its use).

US-Zugriffsbefugnisse auf Daten in der Cloud: Gutachten Uni Köln vom März 2025

David Vasella — Wed, 21 Jan 2026 10:58:19 +0000

Are authorities, companies and holders of professional secrets allowed to use cloud services from US providers, indirectly US-controlled providers and other providers with a foreign connection? This question has been on the agenda for years, not only in Switzerland, but also in other countries – ultimately since Edward Snowden. For public bodies, the focus is on compliance with fundamental rights and official secrecy, while for private individuals it is on private data protection law and the question of the conditions under which outsourcing to a cloud provider is compatible with professional secrecy. A chronology of the corresponding discussion we have published on datenrecht.

As is well known, the discussion revolves primarily around the question of which risks of access by authorities abroad may be accepted, whether „acceptance“ of the risk of such access is prohibited at all or whether such access must rather be accepted because other risks for data subjects can be reduced through the use of corresponding cloud solutions. This discussion is one of Swiss federal and cantonal law. However, the law of the foreign countries concerned, and the USA in particular, plays a significant role as a risk factor.

In this context, the December 2025 Expert opinion made public through a freedom of information request interesting to read and an occasion for a corresponding presentation. A person from the University of Cologne was commissioned by the German Federal Ministry of the Interior (BMI) to write a legal opinion on the US legal situation in March 2025. The report is currently only available in a redacted version.

Expert opinion assignment

The BMI asked three questions:

What is the current legal situation in the USA? Do US intelligence services have a right of direct access to cloud information and a right of disclosure vis-à-vis cloud providers?
Are foreign providers also subject to US jurisdiction?
Does such a right of access also exist if a US company establishes a German subsidiary under German law and operates the cloud on German territory?

The report analyzes the relevant US surveillance law, essentially with the following findings, some of which we have supplemented with additional information or further references:

FISA

Section 702

Section 702 FISA (Title VII) is the central regulation for the surveillance of „non-US persons“ outside the USA. It authorizes US intelligence agencies to collect communications data from Electronic Communication Service Providers (ECSPs). The Foreign Intelligence Surveillance Court (FISC) only approves the monitoring parameters annually, not individual target persons.

Section 702 applies factually to All cloud service providers and data centers Application. The procedure is largely carried out without comprehensible judicial review; in principle, no judicial search warrant is required for the order.

Section 501/502

Section 501/502 FISA (Title V), also Section 215 of the USA PATRIOT Act, authorized the FBI to apply to the FISC for orders to surrender „tangible things“ (including business records and documents). This provision was the basis for the NSA mass collection of telephone metadata. The USA FREEDOM Act 2015 restricted this „bulk collection“ and at the same time extended the term of the provision until March 2020.

However, Section 501/502 expired in March 2020 and has since been not renewed. Accordingly, the opinion states that Section 502 FISA is no longer applicable.

Title IV FISA

Title IV FISA (Sections 401–406) regulates the use of Pen Registers and Trap-and-trace devices for intelligence purposes. A Pen Register captures „dialing, routing, addressing, or signaling information“ of outgoing communication, a Trap-and-Trace Device the corresponding data of incoming communication (18 U.S.C. § 3127). Both instruments explicitly do not record communication content, but only metadata.

The USA FREEDOM Act 2015 also prohibited the bulk collection and has since demanded a specific selection term, i.e. a concrete point of reference such as a specific person, account or device. The hurdle for a FISC order under Title IV is lower than for surveillance under Title I (electronic surveillance with content): It is sufficient to certify that the information is likely to be relevant for an ongoing investigation to protect against international terrorism or clandestine intelligence activities.

Stored Communications Act & CLOUD Act

The Stored Communications Act (SCA) obliges providers of electronic communications services and remote computing services to disclose communications content, documents stored in clouds and metadata. With the amendment to the CLOUD Act of 2018 that this obligation also applies to data stored outside the USA (background was the case United States v. Microsoft Corp., in which Microsoft refused to hand over emails stored in Ireland).

Legal protection

Legal protection against SCA orders is limited under the CLOUD Act. Covered service providers can challenge an order („motion to quash or modify“, 18 U.S.C. § 2703(h)), if

the data subject is not a US person and does not live in the USA,
the surrender of the right of a qualifying foreign government would hurt, and
the court comes to the conclusion after a comity analysis (i.e. weighing up the conflicting interests) that the order should be lifted.

As qualifying foreign government only one state that has a treaty with the USA applies. Executive Agreement to 18 U.S.C. § 2523 has concluded. Such executive agreements initially allow simplified mutual data access between law enforcement authorities and remove the otherwise applicable data protection regulations. Blocking Statutes (i.e. data sharing bans). To date, such agreements only exist with the United Kingdom (in force since October 2022) and Australia (in force since January 2024). Negotiations are ongoing with the EU and Canada (BSA TechPost).

For Swiss companies, this means that No special legal protection against orders under the SCA. A service provider can also raise a comity defense without an executive agreement. common law-basis (CLOUD Act § 103(c)), but whether legal protection is granted is at the broad discretion of the competent US court. Switzerland would, however, also have to accept that US authorities could serve restitution orders directly on Swiss CSPs, outside the scope of mutual legal assistance. The Swiss Bankers Association in particular is opposed to such an agreement. skeptical about.

EO 12333

The Executive Order 12333 then authorizes US intelligence agencies to collect intelligence-relevant information abroad. The cooperation of the server operators is not required in principle; security gaps in the IT infrastructure are exploited. The conditions for such access are not publicly known.

EO 14086 and Data Privacy Framework

The report says nothing about Executive Order 14086 – probably because it is heavily redacted and/or because it focuses primarily on supervisory powers and not on protection mechanisms. However, EO 14086 is relevant for the overall picture.

In October 2022, President Biden announced the Executive Order 14086 („Enhancing Safeguards for United States Signals Intelligence Activities“; see here). Together with a regulation issued by the Attorney General, it forms the basis for the Adequacy decision of the EU Commission of July 2023, the EU-US Data Privacy Framework. EO 14086 provides for Restrictions on intelligence surveillance of Non-US Persons:

Signals intelligence may only be used to pursue defined legitimate objectives (e.g. counter-terrorism, counter-espionage, protection of national security).
Monitoring must be necessary and proportionate.
A new redress mechanism has been created: Data subjects from „qualifying states“ can file complaints with the Civil Liberties Protection Officer (CLPO), whose decisions can be reviewed by a newly created Data Protection Review Court.

In August 2024, the Federal Council invited the USA to the List of countries with an adequate level of data protection set, to the extent that recipients are certified under the Data Privacy Framework. However, the registration only applies to data recipients that are subject to the Framework, i.e. US companies that have certified themselves to the US Department of Commerce.

Whether EO 14086 offers effective protection in practice is disputed. noyb published a Complaint against the Irish data protection authority because it is not taking any measures against Meta despite its known surveillance practices. The organization argues that the framework, like its predecessors Safe Harbor and Privacy Shield, is legally untenable.

Reforming Intelligence and Securing America Act (RISAA) 2024

The report also addresses the Reforming Intelligence and Securing America Act (RISAA) which came into force on April 20, 2024 and extended Section 702 FISA until April 20, 2026 (see our previous post). In 2022, a cloud data center objected to a disclosure order before the FISC on the grounds that it was not an „electronic communication service provider“. The FISC ruled in favor of the company and blocked the order. The FISC decision from 2022 and the confirming FISCR decision from 2023 are heavily blacked out. RISAA was the legislative response.

Above all, Section 25 Definition of „Electronic Communication Service Provider“ considerably expanded. This definition in 50 U.S.C. § 1881(b)(4) determines which companies can be obliged to cooperate in Section 702 monitoring.

The old version read as follows:

(A) a telecommunications carrier […];

(B) a provider of electronic communication service […];

(C) a provider of a remote computing service […];

(D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or

(E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D).

Section 25 RISAA added a new letter (E), the previous (E) became (F) with an addition. The new category reads:

(E) any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications, but not including any entity that serves primarily as: (i) a public accommodation facility; (ii) a dwelling; (iii) a community facility; or (iv) a food service establishment.

The old category (D) required as one Communication Service provider with access. The new category covers each Service provider with access to devices that are or can be used for communication. The expert opinion:

„Nowadays, every service provider who uses smartphones, computers and Wi-Fi routers in their company has “access” to such devices. Service providers therefore no longer need to be telecommunications providers. Rather, an unmanageable number of service providers are covered, laundromats, hairdressers, fitness centers, dental practices, DIY stores and commercial landlords of office space.

Civil rights organizations such as the Brennan Center for Justice, the Electronic Frontier Foundation and the Center for Democracy and Technology have criticized RISAA accordingly as „Patriot Act 2.0“. Senator Ron Wyden (D‑OR) called it

one of the most dramatic and terrifying expansions of government surveillance authority in history

Senator Mark Warner (D‑VA), the chairman of the Senate Intelligence Committee, acknowledged that the provision was „poorly drafted“, and promised a correction through the Intelligence Authorization Act. Although the correction announced for June 2024 was Partially implemented, but the exact scope of the restriction is classified, the extended definition remains in force in principle.

„Data Broker Loophole“

A second aspect is only mentioned in passing in the report, but completes the picture: US authorities can circumvent constitutional restrictions by simply buying certain data.

Commercially Available Information (CAI) is defined by the US intelligence community as information that is commercially available to the public through purchase or subscription. CAI is considered a subset of Publicly Available Information (PAI) and includes, in particular, data generated by smartphones, networked devices and advertising-based business models on the internet. This data is aggregated and sold by data brokers such as Acxiom, LexisNexis or Oracle.

The declassified company mentioned in the expert opinion in June 2023 Report of the Office of the Director of National Intelligence (ODNI) of January 2022 documents this practice. Because CAI is treated as PAI, fewer restrictions apply than for other intelligence collection methods. However, according to the report, CAI is fundamentally different from traditional PAI such as newspapers. Today’s CAI is far more sensitive, affects virtually everyone, is hard to avoid and easy to deanonymize. Simply stating that CAI is publicly available is not enough:

[T]o say that CAI is „publicly available“ or can be purchased by „anyone“ obscures the quantity and sensitivity of information available for purchase today. […] To say that large-scale persistently updated data on millions of Americans obtained through sophisticated opaque corporate surveillance is equivalent to a newspaper that the government could always go out and buy is like saying that a ride on horseback is materially indistinguishable from a flight to the moon.

The report lists a number of contractual relationships for the procurement of CAI:

FBIContract with ZeroFox for social media alerting„
Defense Intelligence Agency (DIA)Contracts for social media reports on persons applying for security clearances and with LexisNexis for „comprehensive on-line search results related to commercial due diligence“
U.S. NavyContract with Sayari Analytics for access to a database with „tens of thousands of previously-unidentified specific nodes, facilities and key people related to US sanctioned actors“
Treasury Department: Access to Banker’s Almanac
Department of Defense: Access to Jane’s online
Coast GuardContract with Babel Street for „Open Source Data Collection, Translation, Analysis Application“

DIA also buys location data from smartphones on the open market. In a Letter to Congress dated January 15, 2021 the DIA disclosed this:

DIA currently provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones. […] Permission to query the U.S. device location data has been granted five times in the past two-and-a-half years for authorized purposes.

The report then warns that anonymized data easily re-identified can be used:

Although CAI may be „anonymized,“ it is often possible (using other CAI) to deanonymize and identify individuals, including U.S. persons.

As an example, the report refers to a Research by the New York Times from 2019, which worked with 50 billion location data of 12 million Americans:

It was a random sample from 2016 and 2017, but it took only minutes – with assistance from publicly available information – for us to deanonymize location data. […] The Times was able to track the movements of President Trump via a member of his Secret Service detail.

The U.S. Supreme Court had ruled in 2018 in Carpenter v. United States however, ruled that security agencies generally need a court order to obtain location data from telecommunications providers. According to the ODNI report, however, the intelligence services do not have a uniform position on the applicability of Carpenter on purchased data. The DIA, for example, considers Carpenter- as not applicable to purchased data. The expert opinion refers to this practice:

While the U.S. Supreme Court in Carpenter found that the security authorities may only compel companies to hand over the requested data on the basis of a court order, this court decision is partially ineffective in practice. As long as the companies hand over the data „voluntarily“, according to the security authorities’ interpretation, there is no need for a court order. However, the security authorities buy the companies’ voluntariness with hard cash, as a report prepared by the US government in 2022 found.

The Fourth Amendment Is Not For Sale Act, which was intended to prevent this practice, passed the House of Representatives in April 2024 by 219 votes to 199, but failed in the Senate as an amendment to RISAA. Data purchasing therefore remains permitted at federal level. Only the state of Montana has prohibited law enforcement agencies from purchasing data in May 2025 (in force since October 1, 2025) that could otherwise only be obtained with a search warrant.

In response to criticism, on May 8, 2024, the ODNI published a IC Policy Framework for Commercially Available Information which is intended to implement the report’s recommendations and establish uniform standards for intelligence agencies. However, reports from January 2025 show that DHS has reacquired access to surveillance systems that can monitor cell phones in neighborhoods and track movements over time. The ACLU released ICE documents showing how the agency is attempting to construct a legal justification for purchasing location data without a warrant.

Control and not server location is decisive

The report also concludes that the Storage location of data largely irrelevant from a legal perspective is. The decisive factor is control over the data:

The provisions of the SCA undoubtedly also apply extraterritorially. This corresponds to the clear intention of the CLOUD Act legislator. In addition, it is settled case law of US federal courts that documents must be released even if they are located outside the USA but the obligor has control over these documents. The term “control” is interpreted broadly, meaning that any executive who can arrange for the information to be sent has control in this sense.

If a US company has a German subsidiary, US courts will be able to order the parent company to hand over data to the US authorities. European companies can also comply with the US jurisdiction to the extent that they maintain business contacts with the USA. The expert opinion refers to Plixer Int’l, Inc. v. Scrutinizer GmbH, according to which a German IT company was subject to US jurisdiction solely because its English-language website was also accessible to US customers and the company had served around 150 US customers with a turnover of approximately USD 200,000 for several years:

The operation of a website that is at least also aimed at US customers or does not explicitly exclude them from accessing the website may also be sufficient for the assumption of specific personal jurisdiction. For a cloud provider, simply offering its services to US customers may be sufficient if the proceedings concern precisely this activity.

Technical protective measures?

The expert opinion continues to examine, whether cloud providers can take technical measures to avoid the obligation to surrender data, for example by excluding themselves from data access, but has considerable doubts about this:

It seems questionable whether an obligation to disclose can be avoided by cloud providers technically excluding themselves from the cloud. […] Under US procedural law, however, parties are obliged to store information relevant to the proceedings even before the start of a legal dispute. […] If a cloud provider excludes itself from access to the cloud server by means of technical measures, it can no longer fulfill these obligations and sometimes risks substantial fines, criminal prosecution, or both.

Empfehlung einer RL über algorithmisches Management am Arbeitsplatz: Berichtsentwurf des EU-Parlaments

David Vasella — Tue, 20 Jan 2026 11:09:06 +0000

On December 17, 2025, the Employment Committee of the EU Parliament Recommendations to the Commission for a Directive on algorithmic management in the workplace adopted (Case file.

According to Art. 225 TFEU Parliament may request the Commission to submit a legislative proposal. If the report on the legislative initiative is adopted, the Commission has three months to inform Parliament of the planned next steps or to justify why it does not comply with Parliament’s demands.

In terms of content, the draft follows on from the Platform working guideline (see also Pärli in Jusletter 2024), but extends its approach to all employment relationships. The list of prohibitions in Art. 5 partially overlaps with Art. 5 AI Act (prohibited AI practices), but goes further, for example in the explicit prohibition of Neurosurveillance and the processing of data on the emotional state.

Need for regulation

According to the report, between a quarter and 80% of companies in the EU use at least one form of algorithmic management. 26.5% of employees are said to be supervised by software, with 27.4% having tasks assigned via software.

The report first identifies gaps in the existing legal framework. The Platform Work Directive is based on Platform work limited:

[T]he Platform Work Directive’s provisions on algorithmic management (in particular workers‘ rights to transparency, human review, worker information and consultation and OSH) only apply to persons performing platform work leaving other workers increasingly subject to algorithmic management less protected; underlines the need to ensure equal treatment of all workers […]

Unlike the final version, the draft report from summer 2025 contained even clearer statements on the protection gaps in the AI Act and the GDPR:

The AI Act classifies work-related AI systems as high-risk, but focuses on market access and product safety:

The AI Act represents a significant step forward in regulating high-risk artificial intelligence systems, it nevertheless remains insufficient to fully address the challenges posed by algorithmic management in the workplace. Although it classifies work-related AI tools as high-risk, its primary focus is on market placement, product safety, and compliance obligations for providers and users, and not on the employer-worker relationship. Furthermore, the AI Act does not apply to algorithmic management systems that are not AI-based, leaving a regulatory gap in addressing the broader impact of digital management tools on workers‘ rights, working conditions, and social dialogue.
The GDPR in turn, dates back to 2016 and was not designed for the specific challenges of data protection in the workplace:

Regulation (EU) 2016/679 […] dates back to 2016 and was not specifically designed to address the particular challenges of data protection in the workplace […] Article 15(1), point (h), of Regulation (EU) 2016/679, which lays down the transparency requirements for and the limitations of data processing, only provides for clear prohibitions in the case of fully automated decision-making processes, which are therefore not sufficient in most employment-related contexts. What is more, Regulation (EU) 2016/679 adopts individualistic approach and does not grant collective rights. Since the entry into force of Regulation (EU) 2016/679, Article 88 on the protection of workers‘ personal data has been poorly implemented and remains largely ineffective in nearly all Member States.

„Algorithmic management“

The resolution no longer contains a definition of algorithmic management, unlike the draft, but refers to the definition in the Platform Working Directive:

algorithmic management‘ should be defined as automated monitoring systems and automated decision-making systems.

The Platform Work Directive defines these terms in Art. 2:

Automated monitoring systems: Systems for monitoring, supervision or performance evaluation by electronic means
Automated decision-making systemsSystems that make or support decisions that significantly influence working conditions

Recommendations to the Commission

The annex contains eleven recommendations to the EU Commission for a proposal for a directive:

Transparency and information obligations (recommendation 3)

Employers should inform the affected employees and their representatives in writing about

Use or planned use of algorithmic management systems
Effects on working conditions and employment status
Categories of data collected, processing purposes and recipients
Mechanisms of human supervision
Training and support measures

Applicants should also be informed about automated decision-making systems.

Consultation obligations (recommendation 4)

The introduction of new systems relating to remuneration, evaluation, work organization, task allocation or working hours should trigger consultation obligations.

Prohibited practices (Recommendation 5)

The resolution calls for a ban on the processing of the following data:

Emotions, moods, brain activity or biometric data
Private communication, also with colleagues or employee representatives
Behavior outside of working hours or in private areas; location tracking outside of working hours
Data that allow conclusions to be drawn about trade union activities or the exercise of other fundamental rights
special data in accordance with Art. 9 GDPR (health, ethnicity, religion, political opinion, sexual orientation, etc.) and conclusions about such data

These prohibitions should also apply to the application process.

Human supervision (recommendation 6)

The resolution calls for continuous and effective human oversight of all decisions, that are made or supported by algorithmic management:

The persons responsible for oversight and evaluation should have the competence, training and authority necessary to exercise those functions, including the authority to override automated decisions.

Employees should have a Right to declaration for decisions that affect key aspects of their employment relationship. Automation is prohibited for certain decisions:

Decisions concerning the initiation or termination of employment, the renewal or non-renewal of a contractual agreement, or any changes in remuneration or disciplinary action should always be taken by a human being and should be subject to human review.

Occupational health and safety (recommendation 7)

Employers should integrate the risks of algorithmic systems into their occupational health and safety systems, including psychosocial and ergonomic risks as well as undue pressure on employees.

Supervision (recommendations 8 and 10)

The Labor inspectorates should be responsible for monitoring. In addition, the Data protection authorities monitor the application of the provisions on data processing in the employment context, in cooperation with the labor authorities.

Proportionality and SMEs

SMEs should be spared too much bureaucracy:

The proposal should respect the principle of proportionality and should ensure that the administrative and compliance burden imposed is appropriate to the size of the employer and the resources at its disposal, the nature of the technologies used, and the level of the risk involved, particularly with regard to micro, small and medium-sized enterprises.

BAV: Cloud Computing für Eisenbahnanwendungen

David Vasella — Tue, 20 Jan 2026 06:59:29 +0000

The Federal Office of Transport FOT on April 23, 2025 Industry letter on cloud computing for railroad applications to the railroad undertakings. The letter specifies the existing requirements of the Railroad Ordinance (EBV) and the Implementing regulations (AB-EBV) for the use of clouds.

The existing requirements do not explicitly regulate cloud computing. The use of clouds in railroad applications is therefore permitted if the general requirements for availability, reliability and security, among others, are met. The FOT therefore requires an assessment of the risk of cloud failure, among other things, before use. The FOT then formulates nine requirements (Cloud‑1 to Cloud‑9), which require cloud governance from the companies covered and which can be generalized beyond the railroad sector:

Scenario analysis (Cloud‑1): Scenarios for incidents with security or availability-relevant effects must be systematically identified. Taking into account the entire supply chain, the following in particular must be considered: technical failures, failures due to misconduct, cyber incidents (including sabotage and insider attacks) and willful service interruptions by the service provider, e.g. on the orders of a political authority.
Risk assessment (Cloud‑2 to Cloud‑4): The probability and extent of the identified incidents must be determined, compensatory measures (fall-back levels) to safeguard rail operations must be investigated and, taking into account the systemic importance of the company, it must be assessed whether the residual risk can be accepted.
Governance (Cloud‑5): The decision to use the cloud must be based on the risk assessment by a suitable body within the company. This decision must be reviewed periodically and in the event of relevant changes.
Contract design (Cloud‑6): The requirements for the cloud, both functional and non-functional (e.g. processes for reporting incidents), must be defined and set out in a contract with the service provider.
Documentation (Cloud‑7 to Cloud‑9): The risk assessment and the decision must be documented and made available to the FOT on request. The inclusion of the process in the management system must be reviewed. In addition, a detailed overview must be kept of all clouds used that are relevant to operations or security.

In future, the FOT intends to review implementation as part of its supervisory activities, both at the procedural level (planning approvals, type approvals) and in terms of monitoring (audits, operational checks). A particular focus will be placed on the topics of supplier management and business continuity management.

EuGH, Rs. C-492/23 – Russmedia: Plattformbetreiber als gemeinsam Verantwortliche für nutzergenerierte Inhalte

David Vasella — Mon, 19 Jan 2026 06:42:56 +0000

At Judgment C‑492/23 of December 2, 2025 in the matter of Russmedia the ECJ has ruled on the Data protection responsibility of the providers of online platforms expressed. The ruling was supported by Sarah Bischof (Vischer) discussed.

The background was a fictitious advertisement on an online marketplace of the Russmedia Group, which had been placed by an unknown person and in which the plaintiff was portrayed as a provider of sexual services.

Special categories of personal data

First of all, such information special categories of personal data within the meaning of Art. 9 GDPR, even if they are fictitious:

In the context of this broad understanding of the term, data relating to the sex life or sexual orientation of a natural person cannot lose their classification as „sensitive data“ within the meaning of Art. 9 para. 1 GDPR because they are by their nature untrue and harmful.

Joint responsibility of the platform operator and the user

The user determines the post and is responsible for it

The responsibility for processing the data by publication (i.e. the post on the platform) lies initially with the user:

In the present case, it is clear that the advertising user who published the misleading, damaging and containing personal data of the applicant in the main proceedings placed on the online marketplace operated by Russmedia is to be regarded as the person who determines the purposes and means of the processing of this data. has mainly decided, and therefore falls under the term „controller“ within the meaning of Art. 4 No. 7 GDPR.

The platform operator is also responsible, regardless of the content of the post

However the operator of the platform is also a controller, because or insofar as he influences the processing out of his own interest:

It must therefore be assumed that Russmedia influenced the publication of the personal data of the plaintiff in the main proceedings on the internet out of its own interest and thus participated in determining the purposes of that publication and thus the purposes of the processing in question. (para. 68)
[…]
Although it follows from the case law cited in para. 58 of the present judgment that a person can only be classified as a „controller“ for the processing of personal data if he influences this processing for his own interests, it should be noted that this may be the case, inter alia, if the operator of an online marketplace publishes relevant personal data for commercial or advertising purposes that go beyond the mere provision of a service that he provides to the advertising user.

This was the case here because (paraphrased) Russmedia was neither a pure vicarious agent of the user nor a pure infrastructure provider when publishing the advertisement, but rather when dealing with the advertisement had a certain degree of co-determination for its own, ultimately commercial interests – Russmedia’s general terms and conditions were relevant for this:

[…] In this respect, the general terms of use of this marketplace give Russmedia considerable freedom to use the information published on this marketplace. In particular, Russmedia reserves the right, according to the referring court, to use, distribute, transmit, reproduce, modify, translate, pass on to partners and remove published content at any time, without the need for a „valid reason“ in this respect. Russmedia therefore does not publish the personal data contained in the advertisements, or not only for the advertising users, but processes this data and can profit from it for its own advertising purposes and for its own commercial interests.

It did not matter that Russmedia, in contrast to the user had no intention to cause harm – The fact that Russmedia wanted to publish the advertisement in its own interest was not, or not only, relevant, but was sufficient for the co-determination of the purpose:

That finding is not called into question by the fact that the misleading and harmful purpose pursued by the advertiser in publishing the advertisement at issue in the main proceedings was manifestly determined without the involvement of Russmedia. The determination of the purpose of the processing, which consisted in disclosing to internet users the personal data contained in the advertisement at issue in the main proceedings, was not involved in that determination. accessible, to profit from these publications, Russmedia has in fact contributed. In addition, Russmedia has makes it easier for such data to be published without the consent of the data subject, by making it possible to place ads anonymously on their online marketplace.
[…] Furthermore, by making its online marketplace, which was used to publish the advertisement at issue in the main proceedings, available to the user who placed the advertisement, Russmedia participated in the Determination of funds contributed to this publication.

Users and operators as joint controllers

From this, the ECJ concludes that both – users and platform operators – must jointly responsible are:

Firstly, as regards the question of whether the operator of an online marketplace must identify the advertisements containing sensitive data within the meaning of Art. 9(1) GDPR before publishing them, it should be noted that, as can be seen from recitals 64 and 75 of the present judgment, this operator and the advertising user who has placed such an advertisement on this online marketplace are to be regarded as joint controllers within the meaning of Art. 26 GDPR, if the advertisement in question is published there.

Duty to check sensitive data

In accordance with the classification as joint controllers, operators and users must fulfill the data protection obligations of the controllers, in particular the demonstrable guarantee of the Legality. Both must also have the Correctness of the processed data.

So the question is, which Measures and – because the dispute concerned the responsibility of the platform operator – what the platform operator must actually do. The ECJ initially describes this vaguely and in language that is difficult to read even by the standards of the ECJ:

In order to determine the specific appropriate technical and organizational measures to be taken by the operator of an online marketplace as joint controller of personal data […In order to determine the specific appropriate technical and organizational measures to be taken by the operator of an online marketplace as joint controller of personal data […] to ensure and be able to demonstrate that the publication of sensitive data contained in an advertisement has been carried out in accordance with this Regulation, it should be noted that those provisions provide that the appropriateness of such measures must be specifically assessed, taking into account the nature, scope, context and purposes of the processing in question and the varying likelihood and severity of the risks to the rights and freedoms of the data subject which are specific to him […].

In this case, it should be noted that the disputed advertisement contained particularly sensitive data (information on sexual life). Because the GDPR generally prohibits the processing of such data, the ECJ sees the following obligations for platform operators (insofar as they are jointly responsible):

Identification of sensitive ads before publication

If an operator has to expect that advertisements personal data requiring special protection (which must be judged on a case-by-case basis and need not necessarily apply to a classifieds market), it must take measures to Identify ads with such data:

Since the operator of an online marketplace such as the one at issue in the main proceedings knows or should know that advertisements containing sensitive data within the meaning of Article 9(1) GDPR can generally be published on its online marketplace by users placing advertisements, that operator, as the controller, is therefore obliged to take appropriate technical and organizational measures when designing its service in order to identify such advertisements before they are published. (para. 97)

Identity check of the advertising user

In addition, the platform operator must check whether the particularly sensitive personal data contained in an advertisement complies with the concern the user himself or a third party:

In order to ensure and prove that the requirements set out in Article 9(2)(a) GDPR are met, the marketplace operator must therefore check, before publishing such an advertisement, whether the user who is about to place the advertisement is the person whose sensitive data is contained in the advertisement, which requires that the identity of the user placing the advertisement be established. (para. 99)

Refusal of publication without consent:

If the user placing the advertisement is not the person concerned and no explicit consent can be proven, the advertisement may not be published.

Measures against proliferation

Platform operators are also required to Protective measures against copying of advertisements:

To this end, the operator of this online marketplace must implement technical measures which, as far as technically possible and economically viable, can prevent or at least make it more difficult to copy the advertisements and publish them on other websites. (para. 112)

However, the fact that an advertisement has been reproduced on other websites does not mean that anti-copying measures have been neglected.

No liability privilege for GDPR violations

In view of this far-reaching MIt responsibility, the question naturally arises as to whether the operator should not be exempt from the Exemption from liability according to the E‑Commerce Directive should benefit. Art. 12–15 of the Directive grant exemptions from liability to platform operators and other intermediaries: In the case of pure transmission (Art. 12) and caching (Art. 13), there is no liability as long as the provider remains passive and does not change content; in the case of hosting (Art. 14), a privilege applies as long as the provider has no knowledge of illegal content or removes it immediately upon becoming aware of it (notice-and-takedown). Art. 15 also excludes general monitoring obligations.

However, this does not help against GDPR violations:

Pursuant to Article 1(5)(b) of Directive 2000/31 not applicable to data protection matters. Furthermore, Art. 2 (4) GDPR confirms that the liability privileges of Art. 12 to 15 of this Directive do not restrict the application of the GDPR.

The Digital Services Act DSA adopts the privileges of the E‑Commerce Directive almost word-for-word, but supplements them with the „good Samaritan privilege“ of Art. 7, according to which voluntary investigations into illegal content do not lead to the loss of privileges. The GDPR also takes precedence over the DSA and remains unaffected. Art. 2 para. 4 lit. g DSA clarifies that the DSA does not affect the provisions of the GDPR, and according to Art. 2 para. 4 subpara. 2 DSA, the privileges under Art. 4–6 DSA do not restrict the application of the GDPR.

Consequences

It is not surprising that the ECJ sees a shared responsibility here. However, Russmedia goes further by stating that the operator, who is only secondarily jointly responsible, has specific obligations to check. This can have a significant impact on operators of online platforms with user-generated content. Operators will have to deal with measures such as :

Recognition systems for ads with sensitive data (health, sexual orientation, political opinions, etc.)
Identity check of advertising users before the activation of corresponding content
Technical precautions against copying and scraping of advertisements

Contractual adjustments can also be imposed, for example:

Review of the GTC for overly extensive rights of use that could give rise to joint responsibility without a corresponding commercial benefit
Joint controller agreements with users

div]:bg-bg-000/50 [&_pre>div]:border‑0.5 [&_pre>div]:border-border-400 [&_.ignore-pre-bg>div]:bg-transparent [&_.standard-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl‑2 [&_.standard-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr‑8 [&_.progressive-markdown_:is(p,blockquote,h1,h2,h3,h4,h5,h6)]:pl‑2 [&_.progressive-markdown_:is(p,blockquote,ul,ol,h1,h2,h3,h4,h5,h6)]:pr‑8”>

_*]:min-w‑0 standard-markdown”>

In Switzerland

Switzerland has no liability privilege for hosting providers. Liability is governed by Art. 41 ff. OR, Art. 28 ff. ZGB and the DSG. Claims for removal exist regardless of fault against anyone who contributes to an infringement of personality rights. Compensation requires fault.

The Preliminary draft of the KomPG does not change this. It is based on the DSA, but is limited to very large communication platforms and search engines and primarily regulates notification procedures, transparency obligations and user rights in the event of content removal. It does not provide for liability privileges.

privatim: Resolution zur Auslagerung von Datenbearbeitungen in die Cloud

David Vasella — Tue, 25 Nov 2025 12:08:05 +0000

On 24.11.2025, privatim, the conference of Swiss data protection officers, published a “Resolution on the outsourcing of data processing to the cloud” published. privatim has already been repeatedly commented on the topic of the cloud.

The motivation for this is probably to be found in the developments of recent months, particularly in the Cantons of Lucerne or Basel-Stadt or Zurich. The fact that the independent data protection officers are now expressing their views on the topic via privatim may therefore also be due to political pressure (and the recent US deal with Switzerland and its data-related content may also have played a role). It is noteworthy, however, that the canton of Glarus – for reasons as yet unknown – is not supporting the resolution.

In terms of content, privatim’s strict stance is probably influenced by Zurich (the Zurich data protection officer is also the contact person for queries). However, there are some comments to be made:

Scope of application and de facto prohibition: The resolution apparently tries not to sound too apodictic, but seems very absolute on the matter and almost seems to want to establish a Lex Microsoft – in any case, only M365 is mentioned by name as a technology or offering. In fact, however, the resolution affects all SaaS offerings with potential knowledge by foreign providers. Nevertheless, the resolution does not explicitly state that the use of the cloud by cantonal bodies is prohibited. Conversely, it confirms that the use of the cloud is generally permitted by law. However, in the case of particularly sensitive personal data or special official secrets, it requires that the relevant data be encrypted by the institution and that the provider does not have access to the key. This corresponds to a ban on SaaS solutions for such data.
Making the need for protection absolute: It cannot be said that particularly sensitive personal data is particularly at risk in the cloud. US intelligence services are more likely to be interested in payment or telecommunications data, for example, than in health data. The resolution also ignores the fact that the Federal Council deliberately recognizes the protection for US companies certified under the “Swiss-US Data Privacy Framework” as appropriate.
Lack of legal justification: The resolution does not justify its statements. It works with a petitio principiiwhen it claims that the outsourcing body can only “mitigate the severity of potential infringements”. The question would be whether there is an infringement at all. In addition, the question would have to be answered as to whether control and data security with a hyperscaler, despite theoretically possible access by the authorities, should not be rated higher than with realistic alternatives with all the weaknesses that these may have. The result of such a realistic net assessment on both sides would have to be examined for its legal admissibility. This question cannot be brushed aside with a reference to possible access by US authorities. Fundamental rights have a core content that radiates into the application of the law. Outside the core area, compromises are unavoidable and permissible. This also applies in the context of administrative management. Interference outside the core content is only excluded in principle if an equivalent alternative is available without such interference.
Involvement of auxiliary persons: The involvement of auxiliary persons is also for official secrets not prohibited in principle. The fact that not all questions are clear does not mean that there is “considerable legal uncertainty”. The position of the Zurich authority, which is reflected in the resolution that a large provider cannot be called in as an auxiliary person, is also poorly substantiated. This may be a remote effect of the misguided, historically conditioned provision of § 3 para. 1 of the Zurich law on the outsourcing of IT services. And it can hardly be claimed that the growing number of cantonal employees are so much better at keeping secrets than employees of hyperscalers.

A per se ban on solutions with a foreign connection for certain data would be a political decision. Such a ban would be the responsibility of the legislator and not the acceptance of certain risks, which are unavoidable even with domestic solutions and which are accepted to a certain extent as a matter of course.

FINMA: Risikomonitor 2025: Outsourcing-Risiken →, Cyberrisiken ↑, IKT-Risiken ↑

David Vasella — Mon, 17 Nov 2025 19:27:40 +0000

FINMA publishes an annual risk monitor as an overview of the risks that FINMA currently classifies as particularly significant for supervised institutions and the focus of its supervisory activities. It not only identifies the main risks (which are naturally limited to the area of technology and data), but also formulates supervisory expectations. It has published the Risk Monitor 2025 today.

Outsourcing risks

The Outsourcing risks FINMA considers this to be the same as the previous year (i.e. high).

The main risk drivers are

Increasing concentration on a small number of service providers, particularly for cloud services;
Identification and assessment of risks along the supply chain (even if outsourcing is not considered material)
Geopolitical uncertainties

Supervisory focusFINMA monitors outsourcing risk by means of specific on-site inspections – of supervised institutions and their service providers – and by systematically evaluating supervisory and audit data. It compiles an inventory of significant outsourcing in order to identify concentrations on a small number of service providers. The focus is on outsourcing critical functions that are central to operational resilience.

FINMA is particularly concerned about cluster risk among a small number of providers:

The increasing concentration on a small number of service providers, particularly in the area of ICT infrastructure and cloud services, continues to pose a key risk. Numerous institutions use the same providers, which can lead to systemic dependency.

Cyber risks

In contrast, there was a clear increase in Cyber risks.

The main risk drivers are

Concentration on a few service providers
Attacks on the supply chains
DDoS attacks
E‑mail traffic
Insider threats
Incorrect transmission of sensitive information
Vulnerability management
Configuration management
Reporting system

Supervisory focusFINMA monitors cyber risk through targeted on-site inspections and additional audit procedures at banks in supervisory categories 1 and 2. For institutions in categories 3 to 5, it uses a standard audit program for the management of cyber risks and uses questionnaires to assess the maturity of the institutions’ cyber protection arrangements. For fund management companies and managers of collective assets, it has also published checkpoints on the management of cyber risks.

ICT risks

There was also an increase in ICT risks.

The main risk drivers are

Increasing complexity due to changing requirements, rapid technical progress, large number of integrations with other systems
Dependence on IT systems
faulty software components
improper maintenance or human error
Inadequate quality of data from external sources (e.g. “non-compliant formatting”)
Automatic updates
Misconfiguration in authorization management
Legacy and end-of-life systems

Supervisory focusFINMA monitors ICT risk by means of specific on-site inspections and the evaluation of supervisory and audit data.

EuGH (C‑654/23): einwilligungsfreier Versand von Werbung an Newsletter-Abonnenten

David Vasella — Mon, 17 Nov 2025 17:39:01 +0000

The ECJ has ruled in the Rs. C‑654/23 of November 13, 2025 (Inteligo Media SA v Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) ruled that the provider of a paid information service may send advertising for this service to newsletter subscribers without their consent:

First of all, “direct marketing within the meaning of Art. 13 (1) of the e‑Privacy Directive (DIRECTIVE 2002/58) as much as “Commercial communication„:

41 […] it follows from the case-law of the Court of Justice that that concept covers communications by which a commercial objective and which are directly and individually addressed to a Consumers direct […].

This is the case for e‑mails with an informational background and an invitation to obtain full texts for a fee.

As a basic rule, Art. 13 para. 1 of Directive 2002/58 requires the consent of the recipients. Art. 13 para. 2 allows with the “Existing customer exception” the dispatch even if the contact details were collected in connection with the sale of a service. However, this exception requires that the contact data used received in connection with a sale were.

In this case, it was not obvious that this requirement was met: the recipients of the newsletter had registered for a free product:

55 […] Inteligo Media […] obtained the electronic contact information of the users concerned when they created a free account on the online platform operated by that company, which implied that those users accepted the contractual conditions for the provision of the ‘premium service’. By subscribing to this service, these users obtained the right to free access […]

However, according to the ECJ in a not self-evident and not inelegant argumentation, this does not do any harm:

54 […] the Court has held that the remuneration for a service provided by a supplier in the course of his economic activity is not necessarily paid by those who benefit from it. That is the case, in particular, where a free service is provided by a supplier for the purpose of advertising the goods or services he sells, since the costs of that activity are then included in the selling price of those goods or services […]. These considerations can be applied to the interpretation of Article 13(2) of Directive 2002/58.

The ECJ therefore allows the remuneration to suffice that pay those addressees for whom the advertising is effective. The fact that money is flowing here also makes all other free subscriptions look like “in connection” with a sale appear.

Since no consent requirement follows from Art. 13 of the Directive, the GDPR does not require consent either. According to Art. 95 and Recital 173, the GDPR does not apply if Directive 2002/58 contains a specific provision for the same purpose.

Legal situation in Switzerland

The result of the ECJ can probably be transferred to Switzerland, especially since Art. 3 para. 1 lit. o UCA is deliberately based on European law with the aim of harmonizing the law:

o. […] who is at the Sale of goods…] and points out the possibility of refusal, does not act unfairly if he sends these customers mass advertising for his own similar goods, works or services without their consent;

However, two problems remain:

Firstly, exempt advertising is limited to your own and similar services, which is why consent is often the better option;
Secondly, the existing customer exception only applies if the purpose of the advertising and the possibility of refusal were already pointed out when the contact address was obtained, which is often not verifiable.

However, enforcing the ban on spam in Switzerland is not exactly a priority for the relevant authorities.

LG München: Vervielfältigung bei einer reproduzierbaren Memorisierung in einem LLM; TDM-Schranke darauf nicht anwendbar

David Vasella — Mon, 17 Nov 2025 13:41:49 +0000

The Munich Regional Court (LG) ruled in a judgment dated November 11, 2025 (Ref. 42 O 14139/24) decided that reproducible training texts available in a model (here: ChatGPT 4 and 4o from OpenAI) (“Memorization„) as duplication within the meaning of Section 16 of the German Copyright Act (UrhG). It is sufficient that the training texts are reproducibly available in the model:

The plaintiff claims that the chatbot generates Reproductions of the training data to a considerable extent. This so-called Memorization of content within models leads to the Regurgitationi.e. to produce output that explicitly reproduces certain training inputs […] […]
201 a. The Chamber is convinced that the texts at issue are […] Included in the model.

202 aa. It is known from information technology research that training data can be contained in models and can be extracted as outputs, which is referred to as memorization […]. Such memorization occurs when the unspecific parameters in training do not just extract information from the training data set, but a complete transfer of the training data can be found in the parameters specified after the training.

203 The multiple occurrence of a training date in the training set is assumed to be the cause of memorization, which mainly occurs with large models […].

204 The memorization of training data can be verified using various methods. If the training data is known, it is possible to compare the training data with outputs using simple prompts and sufficient text length to determine memorization. Otherwise, the parameters entropy and perplexity are used to examine the certainty with which a model reproduces an output – in the case of trained and memorized content, the certainty is high […]. Contrary to the defendant’s statement, simple prompts are not a condition for generating the training data as outputs, but merely serve to prove memorization. […]
205. the Memorization can already be determined here by comparing the lyrics with the outputs. The use of the disputed song lyrics as training data is undisputed. According to Annex K 2, the song lyrics in dispute are clearly recognizable in the submitted outputs by the very simple prompts “What are the lyrics of [song title]”, “Who wrote the lyrics”, “What is the chorus of [song title]”, “Please also tell me the first verse”, and “Please also tell me the second verse”.

The fact that texts have been fed in as training data and are reproduced during queries constitutes prima facie evidence that the texts are stored in the model in duplicated form. Furthermore, duplication does not require a work to be reproduced identically. It is also sufficient to specify a work in a modified form. The technical details are also irrelevant:

For reproduction under copyright law how memorization works in detail remains open. It is irrelevant whether one speaks of storing or copying the training data or, as the defendants put it, whether the model reflects in its parameters what it has learned based on the entire training data set, namely relationships and patterns of all words or tokens that represent the diversity of human language and its contexts. This is because it is crucial that the song lyrics that served as training data are reproducibly contained in the model and thus embodied.

The following was then not applicable TDM exception (§ 44b UrhG):

Language models such as the models in dispute generally fall within the scope of the text and data mining restrictions. The regulations cover necessary duplications when compiling the data corpus in phase 1 (see above), but not further duplications in the model in phase 2. If, as in the present case, information is not only extracted from training data in phase 2, but works are also reproduced, this does not constitute text and data mining. Even if the limitations provisions generally apply to the training of models, reproductions in the model are not reproductions that are covered by the limitations provision, as they are not only used to prepare the text and data mining.

The judgment was issued by Mathias Lejeune comments.

Omnibus I und II zur Vereinfachung des EU-Digitalrechts – die digitale EU tritt der Schweiz bei

David Vasella — Tue, 11 Nov 2025 14:26:58 +0000

The European Commission is currently working on a comprehensive package to reform and consolidate European digital law entitled the “Digital Omnibus”. The Commission wants to eliminate overlaps between data protection, data and AI law, simplify regulations and reduce the administrative burden for companies and authorities, but of course without weakening the protection of fundamental rights.

Drafts, whose official publication has been announced for November 19, 2025, are available. This will be followed by the ordinary legislative procedure in the Council and Parliament. The drafts show surprisingly far-reaching changes to the Data Act, the GDPR and the AI Act.

Specifically, the Commission is planning two omnibus regulations (documents via netzpolitik.org):

Omnibus I (“Digital Omnibus for the digital acquis”)Consolidation of the Data Act, Open Data Directive and Data Governance Act and adjustments to the GDPR.
Omnibus II (“Digital Omnibus on AI”)Adjustments to the AI Act.

noyb warnsthe draft could damage the basic principles of the GDPR, for example by restricting the concept of personal data. The draft pursues a “death by a thousand cuts” strategy that systematically weakens existing protection standards.

Omnibus I

Data Act

The existing Data Act together with the Open Data Directive and the Data Governance Act will be merged into a consolidated legal act. This will include the following innovations:

Retention of the ban on data localization requirements within the EU;
strengthened protection mechanisms against unauthorized disclosure of trade secrets to third countries;
Extension of existing simplifications for SMEs to small mid-caps (SMCs);
higher fees and stricter conditions for the reuse of public data by very large companies and gatekeepers within the meaning of the Digital Markets Act (DMA);
Standardization of the rules on open administrative data, protected data and data altruism;
In addition, the Regulation on a framework for the free flow of non-personal data in the EU be integrated into the Data Act;
Data access by authorities should only be permitted in “public emergencies”;
the chapter on smart contracts is deleted.

GDPR

The GDPR is also to be amended with the aim of clarifying key terms and reducing obligations for harmless processing. The main changes are:

Specification of the Definition of personal dataclarification that the personal reference requires a realistic possibility of identification;
Clarification of the Concept of health data (only data “directly revealing information about health status” – a departure from the Case law of the ECJ);
Exemption from use biometric data “to confirm identity under the sole control of the person concerned”;
Permissibility of processing special categories for Development and operation of AI;
Notification of security breaches:
- Extension of the mandatory reporting period to 96 hours;
- Reporting of security breaches via a single entry point system (“Single Entry Point for Incident Reporting”). This should enable reporting obligations to be fulfilled simultaneously in accordance with the NIS2 Directive, the GDPR, DORA, the Digital Identity Regulation and, if applicable, the CER Directive;
EU-wide standardized negative lists for processing operations that are not Data protection impact assessment require;
Right of refusal in the event of obvious misuse or abuse Request for information.

The Commission also proposes that the Training of AI models with personal data in future on the basis of the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR (which shows the previous bad feeling on this topic).

Cookies and online tracking

The processing of personal data on or from terminal equipment – i.e. the Tracking – should only be based on the GDPR. The basic consent requirement under the ePrivacy Directive (Art. 5 (3)) would no longer apply. Instead, a machine-readable preference system for cookies and tracking via browser or app settings, which website operators must respect (except media providers…).

Omnibus II: AI Act

The Digital Omnibus on AI is intended to simplify the AI Act. Feedback from implementation to date has shown delays and ambiguities. The Commission proposes the following measures:

a possible adjustment of the Implementation deadlinesto take account of delays in standardization and the naming of authorities;
Transitional period for the labeling obligation (“Watermarking”) for AI systems that were placed on the market before this obligation came into force;
Extension of the facilitations for SME on small mid-caps (e.g. simplified documentation requirements, consideration for any sanctions);
Commitment of the Commission and the Member States, AI Literacy itself instead of just making the deployers responsible;
Reduction of the Registration obligations for AI systems that are used in high-risk areas but only perform procedural or narrowly defined tasks;
Permissibility of use Special categories of personal data by providers or deployers for the purpose of detecting and correcting bias;
Expansion of the use of test environments (“AI sandboxes”) and real-world tests;
Clarification of the Interplay between the AI Act, Cyber Resilience Act and DSA;
Centralization of the Supervision about AI systems in very large online platforms and search engines at the AI Office.

DSV: Protokollierungspflicht für Bundesorgane per 1.12.2025 eingeschränkt

David Vasella — Wed, 29 Oct 2025 19:40:27 +0000

The Federal Council has decided to restrict the logging obligation for federal bodies in accordance with Art. 4 DPO to December 1, 2025:

Media release
Amendment
Explanations

This obligation currently applies to all automated processing (para. 2). However, according to the Federal Council’s press release, it has been shown in practice that the risks of processing do not outweigh the costs of logging. The Federal Council has therefore decided to follow the risk-based approach of data protection law for the logging obligation for federal bodies as well. Following the amendment to the DPA, the following regulation will apply (limited to automated processing in each case):

personal data requiring special protection; Profiling; Processing within the scope of the Schengen DirectiveLogging
Other personal dataPerform a risk assessment, in writing (and preferably as part of the security procedure in accordance with Art. 16 ff. ISG). Upon request, the FDPIC must be informed of the “result and content” of the audit. The result of the audit then determines both the subject matter and the scope of the logging

Therefore, the Transitional provision on logging in Art. 46 DPA:

For all automated processing of normal personal data that was planned or started before December 1, 2025, the risk assessment must be completed by End of 2026 to be carried out.
If logging is required, this must be completed by December 31, 2029 be implemented.
At No transitional provision applies to processing with special risks.

In addition, the Federal Council clarifies through two further amendments that the “Read” when logging the “Accessing the data” means. Other amendments concern cosmetics and the ordinance on military and other information systems in the DDPS.

A Deltaview of the changes in the DSV is available here.

Bundesrat: Vernehmlassung zur Plattformregulierung (VE BG über Kommunikationsplattformen und Suchmaschinen)

David Vasella — Wed, 29 Oct 2025 14:21:38 +0000

The Federal Council today after some delay submitted a draft law on the regulation of online platforms such as Instagram, X and Google for consultation (Federal Act on Communication Platforms and Search Engines, KomPG):

Media release
Draft law (preliminary draft, VE KomPG)
Explanatory report VE-KomPG

The consultation will last until February 16, 2026.

The KomPG is intended to strengthen the rights of users of communication platforms and search engines and promote transparency (Art. 1). The draft is closely based on the Digital Services Act of the EUbut is not a copy of it.

For example, the Scope of the KomPG on particularly Large platforms and search enginessuch as X (Twitter), YouTube, Instagram or Google Search, which occupy a central position in public communication. The scope of application is deliberately narrow: only very large platforms and search engines are affected, i.e. those that are used by at least 10% of the Swiss population every month (Art. 2), regardless of where the providers are based. Small and medium-sized providers are exempt. Unlike the DSA, the KomPG not on pass-through services, hosting or caching services be applicable. Non-profit services without an economic purpose (e.g. Wikipedia) are also exempt.

The draft essentially provides for the following:

Providers of very large platforms and search engines must have a Notification procedure for suspected criminally relevant content (e.g. violence, hate speech, defamation), examine and substantiate reports and inform those affected (Art. 4–5).
Users whose Content removed or accounts blocked (“restrictive measures”) are entitled to a notification with reasons and access to a free internal complaints procedure (Art. 6–7).
Disputes can also be submitted to an authorized Arbitration board whose procedure is mandatory for platforms (Art. 8–12).
The AGB must contain certain minimum content – in particular on moderation and recommendation systems – and be publicly accessible in three official languages and with a summary. Significant changes must be actively communicated (Art. 13).
The following apply Prohibitions on due diligence, transparency and discrimination in content moderation and in reporting and complaints procedures (Art. 14).
Third-party advertising must be visibly labeled. Users should have easy access to information about the personalization systems; large platforms must also maintain a public advertising archive (Art. 15–16).
For Recommendation systems information on the algorithms used (parameters, weighting) must be disclosed in the GTC. In addition, a usage option without profiling must be provided (Art. 18).
Providers are obliged to annually Transparency reports (including on moderation and complaints) and to publish a risk assessment on systemic impacts on democracy, public security and fundamental rights (Art. 19–20);
Platforms must have a Contact point in Switzerland and – if domiciled abroad – a Legal representation (Art. 21–23).
There is an annual independent Evaluation compliance with the obligations by the providers (Art. 24–25).
Researchers and civil society organizations are to be given the following conditions Access to platform data to investigate systemic risks (Art. 26).
The Supervision is the responsibility of the Federal Office of Communications (OFCOM). It can order administrative measures up to and including the temporary blocking of services (Art. 27 ff.).
Sanctions up to 6 % of the worldwide annual turnover are provided for (Art. 34).

SEPOS: Standardbestimmungen Informationssicherheit in Beschaffungsverträgen

David Vasella — Wed, 15 Oct 2025 11:08:22 +0000

On behalf of the Federal Council, the Federal Information Security Unit at the State Secretariat for Security Policy SEPOS has Standard provisions for information security for procurement contracts published in order to increase the information security of the federal government and prevent data outflows from suppliers (the Gauges from Xplain were leading).

The standard provisions are to be understood as Recommendation to the requirements and procurement offices of the Federal Government and are January 1, 2026 effective.

You supplement the General Terms and Conditions of the Confederation (see here) and include the following provisions:

For specific application, the document contains Guidelines and comments Standard provisions a nested sequence of checks that recommends a combination of GTC and standard provisions, depending on the sensitivity of the information processed by the service provider, the nature and delivery of the service and the personal nature of the data processed.

EDÖB: Update des Cookie-Leitfadens; per se-Verbot nicht notwendiger Cookies aufgeweicht

David Vasella — Tue, 07 Oct 2025 15:06:05 +0000

Today, on October 6, 2025, the FDPIC published an updated version of his cookie guidelines dated January 22, 2025 published (in addition our contribution at that time). The current version is version 1.1. Initial version can be downloaded here (PDF).

This is an unusual approach by the FDPIC, but a welcome one. If guidelines are adapted, this allows the public to make constructive comments. Interested parties can thus put forward their positions without having to go to court, even if – as was previously the case – they do not have the opportunity to comment on a draft.

The main change concerns proportionality. The old version of the guidelines made a blanket statement, unnecessary cookies are generally disproportionate. The current version moves away from this particularly criticized position:

It still says that unnecessary cookies violate the principle of proportionality.
However, reference is now made to the previous definition of the necessary cookies.
There, the guidelines now rightly state that it is is the person responsible for setting the processing purposeand that the proportionality of the Measured against this purpose:

Which cookies and similar technologies are technically necessary to ensure the functional feasibility of the desired processing depends on the purpose that the controller is pursuing with a specific data processing and cannot be answered in general terms.

In other words, the guidelines no longer imply that non-essential cookies violate personal privacy.

The guidelines now also explicitly address Location data (but without defining them – the indication of a country or a city cannot be understood as a location date):

When collecting location data that leads to movement profiles, a “high probability of identification of persons” must be assumed “in practice”.
Depending on the duration and radius, the collection of geolocation data could lead to high-risk profiling if this data alone or in combination with other data leads to precise movement profiles that allow conclusions to be drawn about key aspects of the user’s personality. This is also possible by combining imprecise location data.
Movement profiles can lead to “sensitive conclusions about privacy” through the evaluation of repeatedly visited locations (e.g. doctor’s and lawyer’s offices). This may require a DPIA.
In the case of apps for billing passenger transportation, the collection of location data is disproportionate and requires consent.

At the end there is also a new note on Paywalls.

In the communication on the update, the FDPIC announced his intention to carry out an “awareness-raising campaign aimed at a wider audience” and then to initiate the “necessary supervisory steps in accordance with the guidelines”.

EDÖB: strenges Merkblatt „Erläuterungen zu Patientenformularen für ärztliche und therapeutische Konsultationen“

David Vasella — Tue, 07 Oct 2025 09:29:02 +0000

On September 30, 2025, the FDPIC published an undated and in places very strict information sheet “Explanations on patient forms for medical and therapeutic consultations”. published. This has also Attorney Martin Steiger reports.

The information sheet is based on the DSG and therefore not on cantonal data protection law, which applies to cantonal hospitals, and not on professional secrets protected by criminal law. It considers the Doctor/patient relationshipbut should also largely apply to other therapeutic professions. The background to the information sheet is the fact that many umbrella organizations and associations of service providers provide templates for declarations of consent (such as the FMH), which raise questions regarding data protection, which is why the FDPIC wants to raise awareness among service providers (“Lerb”). He expressly expects a Customization of formswhere necessary.

Information

First of all, the leaflet addresses the Duty to inform according to Art. 19 f. FADP, but contains nothing new or surprising here. At most, it indicates a tendency towards a strict attitude with regard to the availability of information:

In addition, the controller must actively provide information; when obtaining the data, the controller must ensure that the data subject does not have to search for or request the information first, but can access it immediately. In other words, the doctor must ensure that the patient can take note of the information in an appropriate manner; however, he or she does not have to ensure that the patient actually does so.

It is of course correct to point out that the Lerb No confirmation of acknowledgement needs:

It should be emphasized here that, in contrast to consent (see chapter 2), this is “only” information, and explicit acknowledgement is not a prerequisite for validity. Whether the doctor complies with the duty to inform is therefore not dependent on the patient’s signature. The patient is not obliged to confirm that he or she has taken note of the information. To avoid creating unnecessary problems, it is therefore better not to require a signature.

Consent

The information sheet begins the topic of consent with a sentence that can be underlined twice:

According to the DSG Consent not a prerequisite for doctors to process the personal data of patients.

This applies to all particularly sensitive data (and even more so to all other data). Consent may of course be required, but this is not always the case.

If consent is required, the usual requirements apply, which the FDPIC intends to apply very strictly:

Informed: Here, the FDPIC first assumes that Art. 19 FADP the minimum content of what information is required for informed consent:

The data subject must therefore receive at least the information specified in Article 19 FADP. Depending on the context and type of data processed, further explanations may be required to enable the data subject to assess the scope of the consent.

It is questionable whether this applies in absolute terms, but in practice it is likely to apply as a rule because and as long as no high requirements are placed on the duty to provide information, which is ultimately only intended to enable a request for information.

However, it is wrong to state that the information “must” be “as comprehensive as possible” – it only has to be sufficient, more is always possible. The statement that the declaration of consent must also include the “Consequences of non-consent” and “the way in which the person uses his or her Revoke consent or can assert their right of access”. It can hardly be argued that a patient cannot form a genuine will to consent without this information.
Specific: Here, the FDPIC does not allow blanket consent, and rightly so, of course. However, he is also very strict here when he writes that prior consent to the disclosure of the dossier to a medical specialist is invalid; the consent can be given in writing. only be obtained when the question specifically arises. Prior consent “to the forwarding of any debt collection proceedings to a third-party company” is also invalid. There is no justification here either.
Ultimately, however, the FDPIC’s position here boils down to either a kind of Forfeiture of consent over time or to assume that a patient cannot accept a certain lack of clarity. There is no basis for either in the case of responsible patients. Moreover, the FDPIC’s position would not be limited to the healthcare sector – all sectors with sensitive data, including the financial sector, could no longer obtain such consent in general terms and conditions. However, the FDPIC only comments on data protection, not on criminal law. A different standard may very well apply here.
Voluntarinessno comments.

Secure electronic data disclosure

Consent to “unsecured electronic data disclosure” is problematic. Even purely administrative exchanges involve data that is particularly worthy of protection and must therefore be secured, e.g. through encryption. Consent to unsecured exchange is only possible if the patient has been informed of the risks and has agreed to it voluntarily, which requires, among other things, an effective choice.

Proportionality

According to this, the employee may not obtain more data than necessary. Data such as maiden name, marital status, nationality, business telephone number, occupation and name of employer are generally not necessary, subject to individual cases – in any case, the data controller must always be able to justify specific data processing. Excessive questionnaires should therefore be corrected.

This is of course correct in principle, but only in principle. Firstly, the principle of proportionality by definition allows for broad discretion, and data protection authorities – or the FDPIC – cannot substitute their discretion for that of the controller (a non-emergency practice would be correct). Secondly, a violation can be justified, possibly also by practicability considerations (insofar as these are not already taken into account in the application of proportionality itself).

EDÖB: Vorabklärung bei Coop zum Einsatz intelligenter Videoüberwachungskameras abgeschlossen

David Vasella — Tue, 07 Oct 2025 08:52:50 +0000

How the FDPIC has communicatedhe conducted and completed a preliminary investigation at Coop into the use of “intelligent video surveillance cameras” at self-service checkouts after the media reported to the FDPIC in February 2025 that Coop may be using surveillance cameras with AI at self-service checkouts in some sales outlets.

However, the FDPIC “waives” a formal investigation because the investigation has shown that the data processing complies with the Data Protection Act. Of course, this is not a “waiver” because the FDPIC may not open an investigation at all if there are insufficient indications of data processing. Only if this is the case can a waiver on the grounds of insignificance be considered.

In any case, the FDPIC had opened a preliminary investigation. With the information received from Coop, he was able to understand how the cameras work and make sure that they do not do what the FDPIC would obviously have classified as sensitive, namely that they

cannot perform facial recognition or analyze the purchasing behavior of customers.

The processing therefore complies with the FADP and does not entail any increased risk for the data subjects.

1C_105/2024: fedpol Zugangsgesuch betr. „Pegasus“ zurecht abgewiesen

David Vasella — Tue, 07 Oct 2025 08:41:26 +0000

The Federal Supreme Court had Judgment 1C_105/2024 of September 1, 2025 whether fedpol is obliged to confirm the existence or non-existence of a contract in response to a request for access under the Federal Act on the Protection of Personal Data. The background to this were media reports on the use of surveillance software Pegasus of the Israeli company NSO Group.

fedpol had refused access. The FDPIC responded on January 25, 2022 recommendedto grant access (Art. 14 FSCA). fedpol upheld the refusal of access (Art. 15 para. 2 lit. a FSCA), which is why the applicant appealed to the FAC. The FAC dismissed the appeal (A‑1310/2022). Burri and Breitschmid have published these decisions in medialex 03/24 discussed.

The Federal Supreme Court confirms the decision of the FAC and finally dismisses the appeal against the refusal of access.

Although Art. 67 NDG as a special provision reserved under Art. 4 lit. a BGÖ is not applicable because the fedpol No “news search” in the sense of the LRens:

6.2 L’art. 4 let. a LTrans toutefois réserve les dispositions spéciales d’autres lois fédérales qui déclarent certaines informations secrètes. A special disposition may thus prevent access to an official document or subject it to divergent rules that may be more stringent […]. This is the case of art. 67 LRens, mentioned by the TAF. This provision provides that the LTrans does not apply to access to official documents relating to the search for information within the meaning of the LRens […]. In particular, fedpol does not expose information research within the meaning of the LRens. Il n’explique pas non plus en quoi l’art. 67 LRens would be applicable. Il n’y a donc pas lieu d’appliquer de dispositions spéciales réservées au sens de l’art. 4 let. a LTrans.

However, Art. 7 para. 1 lit. b BGÖ is applicable to the Protection of the effectiveness of specific official measures:

[…] This exception may be invoked if, with a high degree of probability, a measure is not or not fully effective if certain information that prepares that measure has been made accessible. Maintaining the secrecy of the information must be seen as the key to the proper execution of the envisaged measure […].

[…]
In particular, the Tribunal administratif fédéral considered that there were sufficient elements to consider that the maintenance of secrecy with regard to the type(s) of spyware(s) used in Switzerland constituted the key to the proper execution of the surveillance measure by the Swiss authorities. GovWarede sorte que l’exception au principe de la transparence de l’art. 7 al. 1 let. b LTrans était réalisée.

Il a retenu en substance que la divulgation to the public of the existence of a specific type of espionage software used in the context of criminal proceedings and in the field of intelligence allows, with a high degree of certainty, various circles (including the persons susceptible to be concerned by the surveillance GovWare) to gain an overall view of the technical possibilities offered by this surveillance measure, as well as its limitations. The previous instance added that the security failles created or exploited by a logiciel GovWare pouvaient, le cas échéant, être utilisées par des criminels pour introduire des programmes malveillants (cf. Pajarola/Jakob, Kommentar zur Schweizerischen Strafprozessordnung [StPO], Donatsch/Lieber/Summers/Wohlers [éd.], 3e éd. 2020, art. 269ter n° 20).

[…]
The appellant’s argumentation is based […] solely on the allegations of fact and does not respond in any small measure to the motivation of the challenged decision, which states that the maintenance of secrecy constitutes the key to the proper execution of the surveillance measure by GovWare. […] Or la connaissance de l’utilisation d’un logiciel déterminé peut impliquer la connaissance de (nouvelles) spécificités techniques dudit logiciel. Such information is likely to render inadmissible the surveillance attempts made with the help of the logic of which the use has been detected. […]

Art. 7 para. 1 lit. c FSCA (protection of Switzerland’s internal and external security) is also applicable:

[…] Un risque de mise en péril de la sûreté intérieure ou extérieure est admis lorsque la divulgation d’un document ou d’une information emporterait un risque élevé d’attaque […]. Information relating to the organization, activity and strategy of the competent authorities, particularly in terms of security, and even special surveillance software used by these authorities may also be covered by the exception provided for in Art. 7 al. 1 let. c LTrans […].
[…] le TAF […] a considéré qu’il existait un lien étroit entre l’atteinte sérieuse et prévisible à l’efficacité de la mesure de surveillance par GovWare […] on the one hand, and the effectiveness of the criminal proceedings, as well as the investigations conducted by the SRC, on the other: whether the persons concerned could, in one way or another, be subject to the surveillance order, or whether the spyware in question – or the security facilities used or created – could be used for malicious purposes by third parties, the criminal prosecution authorities and the SRC would be deprived of an effective and essential instrument in the fight against crime, in the prevention and detection of menaces for the security of Switzerland. […]

Bundesgesetz über Informationssysteme in den Sozialversicherungen (BISS): Botschaft und Entwurf

David Vasella — Wed, 01 Oct 2025 08:08:36 +0000

The implementation of the 1st pillar (AHV, IV, EL, EO and family allowances) is based on heterogeneous and partly paper-based processes. These are “often inefficient” and the lack of “structured data processing” extends processing times, makes “modern technologies such as the use of artificial intelligence” more difficult and prevents “modern” electronic communication.

The Federal Council therefore wants to Federal Act on Information Systems in Social Insurance (BISS) create the basis for “an end-to-end electronic administrative procedure without media discontinuity in Pillar 1 social insurance and family allowances”.

In particular, the BISS provides for the operation of a central e‑social insurance platform (E‑SOP) The use of which is mandatory for the implementing bodies and insurance providers concerned and voluntary for insured persons. Introduction is planned from 2028 at the earliest. In order to be able to integrate the other social insurance schemes into electronic communication, further foundations are to be created in the ATSG and the special laws.

The Federal Council adopted the draft and dispatch in September 2025:

Media release including background documents
Draft
Message

Interpellation Hässig (25.4193): Rasche Einbettung von Registern in den Gesundheitsdatenraum Schweiz

David Vasella — Fri, 26 Sep 2025 08:36:37 +0000

Interpellation Hässig (25.4193): Rapid embedding of registers in the Swiss health data space

Submitted text

In its statement of August 20, 2026 on the Crottaz motion 25.3621 “The creation of a single national cancer registry is urgent”, the Federal Council criticizes that the consistent and uniform cancer registration suffers from “difficulties in connection with compliance with the reporting obligation, with the data flows in the decentralized and heterogeneous registry landscape and with insufficiently digitized or inefficient processes”, among other things. The integration of cancer registration into the Swiss Health Data Space is being examined. Research into diseases, the development and review of therapies and therefore also the quality of care benefit from the availability of high-quality health data.

Despite the fundamental challenges Various register projects processed. The consultation on the Federal Act on Measures to Combat Rare Diseases has been opened and also includes a register and a data coordination office that can store, process and link data on rare diseases. In themselves, all of these projects serve to digitize the healthcare system and are to be welcomed in principle. As an overall view and a coordinated approach are essential, I would ask the Federal Council to answer the following questions:

How can the Federal Council ensure that Each register is uniformly integrated into the health data space becomes?

As Switzerland is still lagging behind in terms of digitization: What stages and timeframe does the Federal Council envisage for the integration of registers into the health data space?

Can the Federal Council ensure that data from the registers within the health data space is available for later use by the Research be provided?

How does the Federal Council intend to ensure in future that the Digitization projects within the FOPH sensibly coordinated are?

Motion Marti (25.4235): Stärkung der digitalen Souveränität durch gerechte Besteuerung und Förderung der Entwicklung alternativer Lösungen

David Vasella — Fri, 26 Sep 2025 08:33:32 +0000

Motion Marti (25.4235): Strengthening digital sovereignty through fair taxation and promoting the development of alternative solutions

Submitted text

The Federal Council is instructed:

Introduce fair taxation for large digital platforms and companies, for example through a tax on the turnover generated in Switzerland. It ensures that, in coordination with the OECD and the European Union, effective instruments are introduced to combat the shifting of profits to tax havens.

Actively support local and European innovation by creating favorable conditions for businesses that safeguard the public interest and are based on ethical standards and transparency.

Examine targeted funding instruments, such as the creation of a public investment fund to support start-ups and SMEs, to promote research and cooperation between universities and industry and to promote the development of open source solutions and sovereign digital infrastructures.

Examination of the establishment of a sovereign fund for investments in alternatives to the American technology giants that are anchored in the Swiss and European ecosystem.

Justification

The current development in digitalization is worrying. A few companies are concentrating unprecedented economic and political power. This concentration of market and opinion power allows these corporations to undermine the rules of the market, but also to dominate the public debate, with a major impact on privacy, democratic discourse and communication from an early age. These companies also largely evade social responsibility, among other things with a targeted strategy of tax avoidance and the circumvention of local laws. The great dependence on a few US or Chinese-dominated big tech companies has become increasingly explosive in the current geopolitical situation. Reducing dependence on these technologies is also in the interests of national security. Action must therefore be taken on two levels:

Taxation: Introduction of appropriate taxation so that these companies make a fair contribution where they actually generate their turnover.

Innovation and alternatives: Removing barriers to entry for new actors through financial and institutional support for local and European solutions.

Interpellation Flach (25.4133): Cyber-Legion für die Demokratie

David Vasella — Fri, 26 Sep 2025 08:18:07 +0000

Interpellation Flach (25.4133): Cyber-Legion for democracy

Submitted text

The spread of misinformation and the manipulation of public debates by bots and coordinated disinformation campaigns pose an increasing threat to democratic opinion-forming, public security and trust in state institutions. Other European countries are already relying on increased government measures to counter such information offensives: Poland has significantly expanded its cyber and information defence capacities following several serious incidents and intensified government and civil society initiatives to identify and expose fake news; government agencies and press agencies are working on programs to identify and counter disinformation. Estonia and other countries are pursuing complementary models that combine state capacities, voluntary cyber defense units and cooperation with civil society fact-checkers. Such models combine technical detection (bot analysis, network metrics) with rapid, factual counter-messages and transparency measures.

Against this background, I would like to ask the Federal Council for information on the possibilities, to establish a coordinated, legally bound “Cyber-Legion” in Switzerland – understood as a state-supported, transparently managed unit for the detection and factual correction of false and bot narratives in social media.

On what legal basis could such a unit be operated? What barriers (constitution, data protection) would have to be observed?

How could the Federal Council define the purpose, tasks and limits? Which measures would be permissible and which would be excluded?

How could cooperation with fact-checking bodies, media, research institutions and platforms be organized so that government counter-information does not appear as censorship?

What mechanisms could ensure transparency, accountability and control (e.g. register, reports, advisory board)?

What technical means (bot detection, NLP, etc.) could be used, and how could errors and interference in legitimate communication be minimized?

Could the federal government enter into agreements with platforms or limit itself to recommendations and guidelines?

Could legal adjustments be needed to sanction botnets more effectively?