This country-specific Q&A provides an overview of TMT laws and regulations applicable in Switzerland.
Is there a single regulatory regime that governs software?
No, Switzerland does not have a single regulatory regime governing software or, moreover, technology per se. The Swiss legislator takes a technology-neutral approach.
How are proprietary rights in software and associated materials protected?
Proprietary rights in software are mainly governed by the Federal Copyright Act. Computer programs are deemed copyrighted works. Unless it is a computer-implemented invention that solves a technical problem, computer software cannot, as a rule, be patented. Work results that do not qualify for copyright protection may be protected by the Federal Act against Unfair Competition and the Swiss Criminal Code. Design elements may be registered under the Federal Design Act.
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
As a rule, copyright in computer software created for a customer remains with the software developer. However, according to the “purpose transfer theory” rights of use to copyrights or copyrights per se are only transferred to the extent that this is necessary to fulfill the purpose of the contract. Given this may result in considerable uncertainty for both parties, it is advisable to clearly address copyright transfer and use rights in the contract.
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
Liability claims may be based on (a) contract law; (b) tort law, (c) statutory provisions applicable to specific industries and, potentially, also on the (d) the Product Liability Act (PLA). The majority of scholars take the view that software shall be deemed a “product” within the meaning of the PLA, however, the Swiss Federal Supreme Court has not yet addressed the question to date. Thus, an amendment of the PLA, in particular also in view of liability for artificial intelligence applications, would certainly clarify the matter.
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
The Criminal Code covers certain offenses such as the unauthorized intrusion into a computer system, and the Federal Act against Unfair Competition contains certain provisions to prevent trade espionage and the use of work results that do not qualify for copyright protection.
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
Software transactions including cloud agreements are not specifically regulated by Swiss law. The parties, in particular in the B2B context, are free to agree on the specific provisions within the general limits of the law. In the B2C context, providers should adhere to the rules on unusualness and ambiguity introduced by the Federal Court.
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
In most cases, the parties agree to a cap amounting to the annual contract value. However, pursuant to Swiss law, the parties cannot exclude or limit liability for damages caused by intent or gross negligence and for death or personal injury resulting from a negligent breach of contract.
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
Well drafted technology contracts would exclude all the above from the financial cap, in particular data breaches [(b) and (c)] as well as (g) given that an exclusion of liability for damages caused by intent or gross negligence are not permitted by Swiss law (cf. question 7). Typically, the parties agree on a penalty for confidentiality breaches that may or may not be counted towards damages.
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used?
Escrow agreements are used in Switzerland and they are enforceable; however, it would be exaggerated to call this a common practice. Many customers choose not to conclude an escrow agreement despite the risks of a lock-in to their provider as they deem it unfeasible to make use of the source code themselves or by third parties once released from escrow. There are no “go to” escrow agents in Switzerland.
Are there any export controls that apply to software transactions?
Software exports may be restricted by Federal Law on the Control of Goods Usable for Civilian and Military Purposes, Special Military Goods and Strategic Goods and, in particular, by the Ordinance on the export and brokering of goods for Internet and mobile phone surveillance.
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
In Switzerland, there are no specific laws that govern IT Outsourcing. Moreover, there are various statutory and regulatory frameworks pertaining to particular sectors or types of services such as telecoms or financial services that do contain requirements that have an impact on how technology services are procured. Further, authorities and organisations performing public tasks need to adhere to public procurement laws. As a rule, however, the Swiss legislator takes a technology-neutral approach.
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
Article 333 of the Swiss Code of Obligations (CO) stipulates that if the employer assigns its business or a business unit to an acquirer, the employment relationship of any employee affected automatically transfers to the acquirer, unless the affected employee objects to such transfer. This also applies to mergers, splits or asset transfers in accordance with Article 27 of the Swiss Merger Act. The employment agreements are automatically transferred to the acquirer on essentially all existing terms and conditions, including benefits granted under the employment agreement or based on a collective bargaining agreement, as well as accrued holiday entitlements. After the transfer, the acquirer may modify the employment terms.
The former employer and the acquirer are jointly and severally liable for an employee’s claims that are due prior to the transfer, or will become due up to the date the employment relationship can effectively be terminated or until its actual termination based on the employee’s objection to the transfer.
The previous employer is obliged to inform or consult with the employees’ representatives or, if there is no representation, with the employees themselves in good time before the transfer takes place (Article 333a CO).
Which body(ies), if any, is/are responsible for the regulation of telecommunications networks and/or services?
The Federal Communications Commission (ComCom), an independent commission with decision-making powers, is in charge of the regulation of the telecommunications market, of awarding the universal service licence, as well as radio communication licences for the use of the frequency spectrum, of determining access conditions and prices (in the event telecommunications service providers cannot reach agreement), of the approval of the national numbering plans, and of the regulation of the methods of application of number portability and carrier selection.
The Federal Office of Communications (OFCOM) is formally part of the Federal Department of the Environment, Transport, Energy and Communications, and acts as the supervisory authority in the communications sector. It is responsible for tasks relating to regulation and is the national authority in the areas of telecommunications, broadcasting and post, ensuring, in particular, the quality of the universal service and the public service.
The above regulatory bodies are independent of government control.
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
The main law governing the transmission of information by means of telecommunications techniques is the Telecommunications Act (TCA).
The aim of the TCA is to ensure that a range of cost-effective, high-quality, and nationally and internationally competitive telecommunications services is available to private individuals and the business community. The TCA shall, in particular: a) ensure that a reliable universal service is provided at affordable prices for the entire population in all parts of the country; b) ensure that telecommunications traffic is free from interference and respects personal and intellectual property rights; c) allow effective competition in the provision of telecommunications services; and d) protect users of telecommunications services from unfair mass advertising and from abuse associated with value-added services.
On the basis of the TCA, several Ordinances have been enacted and revised: the Ordinance on Telecommunications Services; the Ordinance on Telecommunications Installations; the Ordinance on the Addressing Resources of Telecommunications Services with modernized standards relating to short numbers; the Ordinance on Frequency Management and Radio Licenses, completely revised with technical adjustments; the Ordinance on Electromagnetic Compatibility; and the Ordinance on Fees in the Telecommunications Sector. Further, the Federal Act on Surveillance of Post and Telecommunications and the respective Ordinance apply to communications services.
Which body(ies), if any, is/are responsible for data protection regulation?
The Federal Parliament consisting of the National Council and the Council of States enacted the Federal Act on Data Protection (FADP). The Cantonal Parliaments are responsible for the enactment of the respective Cantonal Data Protection and Information Acts. The Federal Data Protection and Information Commissioner and the Cantonal Data Protection Authorities do not have any regulatory authority.
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
The Federal Act on Data Protection regulates processing of personal data by private entities and by the Federal Government, whereas the Cantonal data protection acts regulate processing of personal data by Cantonal bodies. Further, there are data protection related provisions in a variety of further acts (employment, health, insurance laws etc). The aim is to protect data subjects in their fundamental right to privacy provided by Art. 13 of the Federal Constitution. The various acts have been revised or are in the process of being revised in order to align with the EU General Data Protection Regulation (GDPR) and the Council of Europe Convention on Data Protection.
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
The FADP follows a different approach to sanctions in comparison with the GDPR as not the organisation or company are fined but rather the responsible individual is criminally prosecuted. The fine can amount to a maximum of CHF 250’000. Such fines cannot be insured or taken over by the organisation or company the responsible individual works for.
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
This may occur, in particular in the context of data processing agreements (DPA). This is mainly due to the fact that Swiss law is less prescriptive on the content of a DPA than the GDPR and, thus, references may add some clarity. In general, the CCPA is not referenced in Swiss technology contracts if the contract has no connection to scope and applicability of the CCPA.
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
The Federal Parliament consisting of the National Council and the Council of States.
The Federal Council issued the Digital Switzerland Strategy in 2018 and an interdepartmental working group on AI was established. In November 2020, the Federal Council adopted guidelines on the use of AI within the Federal Administration applicable also to federal agencies and external partners entrusted with governmental tasks.
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
Switzerland does not have any specific laws applicable to AI. Switzerland is closely monitoring the EU developments as regards the AI Act and the activities of the Council of Europe whilst rendering its own assessments whether specific regulations shall be enacted.
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
No, to date there are no specific legal provisions.
Which body(ies), if any, is/are responsible for the regulation of blockchain and / or digital assets generally?
The Swiss Parliament and the – to a certain extent within its authority to issue guidelines and circulars– the Swiss Financial Market Supervisory Authority (FINMA).
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
The Distributed Ledger Technology (“DLT-Law”, in force since 2021) introduced a new concept of so-called “DLT-Securities” allowing for the tokenisation of rights, claims and financial instruments such as bonds, shares, structured products or derivatives. The aim is to ensure the tokenisation of rights by providing the legal framework for an electronic registration of rights that entails the same protection as traditional securities. Further, the DLT-Law provides for a new licensing category as a DLT-Trading Venue under the Financial Market Infrastructure Act and contains certain clarifications regarding to the treatment of cryptocurrencies in Swiss insolvency proceedings.
Are blockchain based assets such as cryptocurrency or NFTs considered “property” capable of recovery (and other remedies) if misappropriated?
The revised Federal Ordinance on Banks and Savings Institutions (“FBO”, revised in August 2021), defines the term crypto-based assets as assets that are issued by the issuer or originator with the primary intention to serve as a payment instrument for the acquisition of commodities or services or as an instrument to serve the transfer of money or value. Due to,in particular, their lack of tangibility, cryptocurrencies are not a “thing” in the sense of Swiss civil law and, thus, there is no ownership in the sense of the statutory property provisions. By contrast, securities may be legally owned under Swiss law. Cryptocurrencies to date are not treated as securities by FINMA within the meaning of the DLT-Law and, thus, cryptocurrencies cannot be owned as such. However, cryptocurrencies are considered to have an inheritable value and, accordingly, can form part of the inheritance.
NFTs serve to trade digital objects and to verify ownership as NFTs have embedded metadata that can be used to prove authenticity and genuineness. However, NFTs are unlikely to be classified as payment tokens such as cryptocurrencies, as they do not substitute money. Further, NFTs do not, as a rule qualify as securities. Given their intangible nature, NFTs do not qualify as property in the sense of the Civil Code.
Which body(ies), if any, is/are responsible for the regulation of search engines and marketplaces?
There are no specific governmental bodies responsible for the regulation or even the oversight of search engines and marketplaces in Switzerland.
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
The general legal principles apply to search engines and marketplaces given that, today, there are no comprehensive rules governing the provision of digital services in Switzerland. Rather, the activities of intermediaries are covered by general legal rules such as the protection of personality, data protection law, criminal law, etc. With regard to commercial advertising, there are regulations that also apply to intermediaries. For example, the Federal Act against Unfair Competition generally obliges intermediaries to label advertising as such. However, there are no legal requirements regarding the labeling or transparency of political advertising on the Internet.
The Digital Markets Act and the Digital Services Act will not apply in Switzerland as Switzerland is not a member of the EU, however, the principles laid out in these two acts have an impact on possible Swiss legislatorial initiatives.
Which body(ies), if any, is/are responsible for the regulation of social media?
Apart from the Swiss legislator, the Federal Parliament, and, to a certain extent, the Fair Trading Commission.
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
Today, there are no comprehensive rules governing social media in Switzerland. Switzerland does not have any measures regarding communication rules and procedural guarantees on social media platforms or transparency regarding bots. In November 2021, the Federal Council issued a report on the activities of platform operators (intermediaries) in the area of public communication and the formation of opinion and will. Hate speech, misinformation, quasi-censorship and non-transparency are identified as problematic areas and the users of social media, or online services in general, should be better protected, including vis-à-vis intermediaries. It remains to be seen whether Switzerland will enact specific laws in this regard.
What are your top 3 predictions for significant developments in technology law in the next 3 years?
Artificial Intelligence: Switzerland is spearheading in AI innovation. Worldwide, Switzerland has the highest number of AI companies per citizen in Europe and worldwide the highest number of AI patents in relation to its population. However, despite calls for regulation in particular from scientists, Switzerland does not have a legal framework specifically applicable to AI. Switzerland is, however, closely monitoring the regulatory developments regarding artificial intelligence in the EU given that Switzerland, albeit not a member of the EU or the EEA, is shaped by EU legislation in order to maintain market access. The discussion in Switzerland currently centers around the question of whether the general legal principles suffice and, if not, whether Switzerland shall pursue an approach of a “one blanket law” as the EU AI Act currently does in order to bridge the gaps not covered by applicable law that AI poses on an ethical, legal and social level. Issues arise in the context of, in particular, fundamental rights, anti-discrimination rights, transparency, copyright law, competition law, liability, administrative law.
HealthTech: Life sciences is an exceptionally important branch of industry in Switzerland, and to secure cross-border trade has become a challenge in view of the enactment of the EU Medical Device Regulation. Further, Switzerland also takes pride in its functioning healthcare system. However, the healthcare sector in Switzerland has a lot of catching up to do in terms of digitization. This applies not only to healthcare facilities, but also to the introduction of the electronic patient dossier – a project that has not been blessed by much luck so far. Further, the legal framework to use health data for scientific purposes is fragmented in Switzerland: The balancing act between promoting general interests and protecting the individual is by no means easy, but the current legal framework does not lead to a satisfactory outcome for either side. It remains to be seen whether the Federal Parliament takes up on initiatives to address these issues in due course.
Digital Rights and Freedom of Expression: The Internet and social media have become central to communication and information exchange, but they have also raised concerns about misinformation, hate speech, and online harassment. Switzerland does not have a specific framework that refines and balances digital rights with societal interests to ensure freedom of expression while combatting harmful content and protecting users from online abuse and will need to address this in the near future.
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?
Today, ESG and particularly sustainability / net-zero goals have become increasingly important in technology sourcing contracts. Suppliers must document how they implement ESG principles in their daily business already within the RFP / RFI process in order to participate in the tender. As a rule, however, Switzerland does not prescribe ESG principles for the technology industry specifically.