We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
SWISS LAW AND TAX
Services
Intellectual Property
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Meet our team
Our knowledge, expertise & publications
View all
Events
Blog
Careers
9 February 2023
Swiss hosting providers increasingly face requests of criminal authorities to disclose data relating to a specific customer relationship. In order not to expose themselves to a liability risk, they should consider several things when dealing with such orders, and in particular not hand over data recklessly.
In order to make it easier for Swiss hosting providers to deal with enquiries from authorities and courts regarding customers' activities, information and content, Swico – the Swiss trade association of the ICT and online industry – published «Guidelines on Authority Requests» in 2020.
These guidelines contain various technology-appropriate principles of conduct for Swiss hosting providers, and also specifically deal with disclosure orders of criminal authorities.[1] They have proven themselves in practice and significantly contribute to improving legal certainty on the internet.
If a hosting provider is faced with a disclosure order of a criminal authority, they should check the following:
If the hosting provider has to answer «no» to one or more of the aforementioned questions, they should contact the requesting criminal authority and ask for a rectification of the disclosure order.
If there are doubts about the existence of the requesting criminal authority and/or the authenticity of the disclosure order, it is advisable to first conduct a research about the authority concerned, call them via a publicly published telephone number, and verify the request with them.
As a general rule [2], Swiss hosting providers should not disclose any data based on enquiries of foreign (criminal) authorities. Rather, the providers should refer the authority concerned to the international administrative or legal assistance channel. Otherwise, they expose themselves (or, respectively, their decision-makers) to the risk of criminal liability under Art. 271 Swiss Criminal Code (unlawful activities on behalf of a foreign state).
As far as the specification of the disclosure order is concerned, the hosting provider must demand that the order is written so precisely that the hosting provider can separate out the data concerned without doubt and without their own interpretation and/or selection. In case of doubt, the hosting provider should ask the requesting criminal authority for rectification here as well. The same applies if the disclosure order proves to be misleading and, for example, incorrect technical terms are used. One might think of a disclosure order that obviously deals with hosted content, but only mentions «data concerning the domain name xyz.ch».
If hosting providers recklessly disregard the aforementioned requirements and thoughtless provide data to the requesting criminal authority, they run the risk of being liable for damages to their customers and/or affected third parties.
If a disclosure order meets the above-mentioned requirements, the respective hosting provider should coordinate the specific technical modalities of the data delivery with the requesting criminal authority.
When defining the technical modalities, the hosting provider should take into account the current state of the art, the sensitivity and the volume of the data in order to ensure a level of data security appropriate to the circumstances.
Data which can be accessed from public sources (e.g. imprint) can generally be sent to criminal authorities by e-mail. In contrast, a hosting provider should make data that is not publicly accessible available in encrypted form and provide for a protected access.
Disclosure orders issued by criminal authorities regularly contain a prohibition of communication, i.e. an order issued under threat of criminal prosecution (Art. 292 Swiss Criminal Code) in the event of a violation, to maintain silence about the order as well as about related circumstances, and not to do anything that could draw the attention of the accused person or third parties to the ongoing criminal investigation. In order not to expose themselves (or, respectively, their decision-makers) to the risk of criminal liability under Art. 292 Swiss Criminal Code, hosting providers or their responsible bodies should strictly comply with such order, and also ensure that all employees involved with the respective disclosure order are informed of the prohibition of communication.
If the hosting provider intends to terminate the respective customer relationship (for example, because they suspect unlawful content made accessible by the customer and would be contractually entitled to terminate without notice), the hosting provider should consult with the criminal authority before terminating in order not to undermine the purpose of the prohibition of communication (it would be possible that the customer would infer from the termination without notice that criminal proceedings are pending against him or her, so that he or she could, for example, delete data and thus prevent effective criminal prosecution).
Contrary to what the current coverage around the Berset/Lauener affair (cf. for example the article in NZZ am Sonntag of 5 February 2023, p. 9) might suggest, sealing is in any case not the panacea for hosting providers that they could and should use as a reaction to disclosure orders.
Sealing is an instrument that can be used to prevent or at least delay the disclosure and use of data by criminal authorities. It serves to protect the secrecy of the persons concerned: Sealing is intended to prevent the criminal authorities from learning secrets of which they should not have any knowledge. It is an immediate measure that takes effect with the mere assertion (i.e. with the sealing request) and avoids any knowledge by the criminal authorities. In order to be able to use the data after all, the respective criminal authority must request the unsealing of the data concerned from the competent (unsealing) court in separate proceedings.
Sealing is regulated in Art. 248 of the Swiss Criminal Procedure Code (CPC). This provision was recently revised (it is currently intended to be effective from 1 January 2024; see also here [in German]). According to the current wording of Art. 248 para. 1 CPC, «records and objects which, according to the holder, may not be searched or seized because of a right to refuse to testify or to give evidence or for other reasons» must be sealed. is No formal requirements apply to the sealing request. The inadmissibility of the search must only be made credible, but does not have to be proven. Based on Art. 248 para. 2 revCPC, criminal authorities will now be obliged to actively inform customers of hosting providers of the right to request sealing after receiving the requested data.
Under both current and revised law, however, sealing «for» third parties (such as clients) is not permitted by law. A sealing request can only be made by those who assert their own interests in secrecy (cf. for example Swiss Federal Supreme Court's judgment 1B_243/2021 of 20 December 2021, cons. 3.6 [on the VStrR, in German]; Swiss Federal Supreme Court's judgment 1B_210/2017 of 23 October 2017, cons. 6.4 [on the VStrR, in German]; Swiss Federal Supreme Court's judgment 1B_562/2011 of 2 February 2012, cons. 2 [in German]).
Scenarios in which a hosting provider's own secrecy interests are affected when facing a disclosure order are very rare in practice (for example, if the disclosure of data relating to a specific customer were to be requested, which also includes correspondence between the hosting provider and its legal representation).
Whether it is appropriate for Swiss criminal authorities (as opposed, for example, to telephone surveillance) to be able to access e-mails and other data without a court authorisation, by just requesting hosting providers to hand them over such data, is a question of legal policy.
From the point of view of the persons concerned, this may be unsatisfactory. Hosting providers as intermediaries can only change this power structure to a limited extent under current law, by not complying with insufficient disclosure orders and requesting the criminal authority for rectification.
A restriction of the legal possibilities of Swiss criminal authorities (e.g. introduction of a court authorisation requirement) or an expansion of the legal remedies of the persons concerned could ultimately only be achieved through legislation.
[1] The Guidelines also address disclosure orders in civil proceedings, orders for telecommunications surveillance, questioning/interrogation of persons and actions by authorities or authorized representatives in place of the client. These scenarios are not part of the present article.
[2] In exceptional cases, foreign authorities (based on art. 32 letter. b of the Cybercrime Convention) may address requests directly to Swiss hosting providers. However, the direct disclosure of inventory and marginal data abroad outside of the international administrative or mutual legal assistance channels is not legally enforceable. Voluntary direct disclosure is only permitted where the customer in question has contractually authorized the hosting provider to do so.
Authors: Jonas D. Gassmann, Dr. Rolf Auf der Maur
Categories: Data & Privacy, Information and Communication Technology, Investigations & eDiscovery, Litigation and Arbitration, White-collar crime
Attorney at Law
Artificial intelligence can help companies automate their marketing processes and make them more...
Cisco (NASDAQ: CSCO) intends to acquire Isovalent, a leader in open source cloud native networking...
The first package of revision to Swiss surveillance law will enter into force on 1 January 2024. We...
