SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
frame of reference for the use of AI within the federal administration, and FINMA issued bind - ing guidelines on outsourcing and data security for the financial and insurance sector. The following FADP safeguards can be applied to AI systems. • Privacy by design/privacy by default: The data controller is obliged to implement techni - cal and organisational measures to ensure that processing complies with data protection requirements, right from the outset. • Obligation to carry out an impact assess - ment: Where the planned processing is likely to pose a high risk to individual or fundamen - tal rights, the data controller must first carry out a data protection impact analysis. High risk exists in particular in the case of large- scale processing of sensitive data or system - atic surveillance of large parts of the public domain. • Transparency obligation for automated deci - sions: The data controller must inform the data subject of any decision taken exclusively on the basis of automated personal data processing that has legal effects on the data subject or significantly affects him or her. The data subject also has the right to express his or her point of view and to demand that the decision be reviewed by a natural per - son. These measures do not apply where the data subject has expressly consented to the decision being taken by automated means, or where the decision is directly related to the conclusion or performance of a contract and the data subject’s request is met. If the auto - mated decision is made by a federal body, such body must qualify it as such. The right of the data subject to express his or her point of view and to demand that the decision be reviewed by a natural person does not apply
when he or she does not have to be heard before the decision is made. When exercis - ing his or her right of access, the data subject receives, in particular, information concerning the existence of an automated decision and the logic on which the decision is based. • Requirement for a formal legal basis: Federal bodies are only entitled to process personal data if a legal basis is given. The legal basis must be laid down in a law in the formal sense in three cases, namely (i) the process - ing of sensitive data (for example biometric and genetic data); (ii) profiling (as defined by the FADP); and (iii) when the purpose or method of processing is likely to cause serious harm to the fundamental rights of the data subject. The use of AI may there - fore require a formal legal basis, even in the absence of sensitive data or profiling, if the processing method (eg, automated decision) is likely to seriously affect the fundamental rights of the data subject. Finally, on 12 February 2025, the Federal Depart - ment of the Environment, Transport, Energy and Communications (DETEC) and the Federal Department of Foreign Affairs (FDFA) presented to the Swiss Federal Council an overview of possible regulatory approaches to AI. On the basis of this overview, the Swiss Federal Coun- cil has decided on a Swiss regulatory approach for AI based on three objectives: strengthening Switzerland as a location for innovation, safe - guarding the protection of fundamental rights, including economic freedom, and increasing public trust in AI. To achieve these objectives, the Swiss Federal Council has set the follow - ing key steps for the future: incorporation of the Council of Europe’s AI Convention into Swiss law; sector-specific legislation as far as required (cross-sector regulation), to be limited to central
422 CHAMBERS.COM
Powered by FlippingBook