Article Lead Image

Illustration via Max Fleishman

Can Switzerland become a safe haven for the world’s data?

Switzerland sits outside the European Union, and that could make all the difference.


Jonathan Keane


As United States and European Union regulators debate a sweeping new data-privacy agreement, Switzerland is presenting itself as a viable neutral location for storing the world’s data thanks to strict privacy laws and ideal infrastructure.

The Swiss constitution guarantees data privacy under Article 13. The country’s laws protecting privacy are similar to those enacted by the E.U. Swiss data protections are also, in some cases, much stricter than those of the E.U., according to Nicola Benz, attorney at Swiss law firm Froriep. And since Switzerland is not part of the E.U., data stored there remains outside the reach of the union’s authorities.

“Swiss law contains things that we call blocking statutes,” Benz said, “which mean that foreign authorities can’t conduct their authority’s functions on Swiss soil unless they follow the proper judicial channels.” The country’s tight privacy laws could make the small nation more attractive to privacy-focused start-ups. And it already has that momentum.

After the former NSA contractor Edward Snowden 2013 revelations about the National Security Agency’s secret surveillance activities, Switzerland witnessed something of a boom in its data-center business. Phil Zimmermann, creator of the popular PGP encryption protocol and  founder of Silent Circle, even left the U.S. for Switzerland last year, citing the overreach of American authorities.

“We do things properly, and we follow the rules, and we are committed to the security of your data.”

Andy Yen, CEO of Swiss-based encrypted email service Protonmail, said that the country has robust processes in how it carries out data requests from authorities.

Data requests have to go through a court like in most countries, said Yen, but “the person that’s having their data requested needs to be notified eventually about the request happening and there’s an opportunity to fight it in an open court. This is quite different than the U.S., where things can go through a so-called FISA court.”

Hoping to make the most of the opportunity, data center operators are trying to woo companies into storing data in the country.

Vigiswiss, a trade group of Swiss data center companies, is promoting Switzerland as the “world’s safe haven for data” through its privacy laws and a charter for members to abide by, such as the types of data they store.

“For company data, the level [of protection] is higher than in the E.U. because we consider company data as personal data, which is not the case in the E.U., so that’s why companies have an interest in putting their data in Switzerland,” said Florian Ducommun, a lawyer and member of Vigiswiss’ strategic board.

“We do things properly, and we follow the rules, and we are committed to the security of your data.”

On top of the legal benefits, Switzerland boasts the infrastructure and environment for building efficient data centers. During World War II, Switzerland burrowed underground tunnels and bunkers through the Swiss Alps for security. Mount10, a data center company, has built facilities in these bunkers to protect against natural disasters and terrorist attacks.

But storing data in Switzerland is one thing. Transferring data to and from the U.S. is another issue, as we have seen with the collapse of Safe Harbor, which the E.U.’s top court struck down in October over concerns about U.S. surveillance, and the debate over its successor, a pact known as Privacy Shield.

When Safe Harbor died last year, it left a lot of question marks around Switzerland’s own agreements with the U.S., known as the U.S.-Swiss Safe Harbor framework, which is also now invalid. The loss of Safe Harbor also caused consequential complications for U.S. technology firms, like Google and Facebook, which regularly transfer data to European countries and back to the U.S.

A spokesperson for Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) told the Daily Dot that it is currently recommending Swiss businesses and authorities “enter into additional contractual guarantees and arrangements to secure better protection for personal data” transferred to the U.S.

In March, Switzerland appointed a new data protection commissioner, Adrian Lobsiger. The ongoing Privacy Shield discussions will likely inform the path that his office takes, according to law firm Prager Dreifuss in a paper published in January, but concerns still linger over surveillance once data leaves the country.

“Certainly our recommendation to most clients is that even once this new Privacy Shield comes into play, they should probably keep their [contract] agreements in future,” said Benz. “We’re still not confident that the Privacy Shield will stand up to test.”

For all its promises of data security within the country, Swiss data-center providers and the Swiss government cannot, at this time, prevent abuses once data leaves its borders.

“Other governments, we’ve seen with the whole Snowden affair, may still be looking at the data, so it’s very much a question of what technical safeguards are in place. There’s nothing that Switzerland can do as a state, any more than any other state, to stop that,” said Benz.

“We’re still not confident that the Privacy Shield will stand up to test.”

Domestic surveillance is a concern, too. In September 2015, the government passed a new law to expand law enforcement’s surveillance capacities. However, given Switzerland’s model of direct democracy, anyone who gathers more than 50,000 signatures in opposition within 90 days will halt the law coming into effect, pushing it instead to a public ballot.

Protonmail and several other opposition groups did just that earlier this year, and that referendum will take place later in 2016.

“This is very powerful because outside pressure can be put on the Swiss government to introduce new laws, but these laws cannot actually come to power unless the population approves of it,” Yen said of the referendum.

Even with these victories and the country’s commitment to privacy, Switzerland’s position as a future “data refuge” will be put to the test, according to former FDPIC chief Hanspeter Thür.

“We all know the United States like to enforce their laws abroad,” he said, “the future will show if Swiss institutions will be able to resist them.”

The Daily Dot