The recent past has witnessed an increasing need for Swiss companies to conduct internal investigations and to disclose or hand over some or all of the results of those investigations to regulatory or other law enforcement authorities abroad, notably the United States. This update examines the main statutory obstacles with which Swiss companies are faced when responding to a foreign authority's request for information or document production. Those statutory obstacles need to be overcome irrespective of whether a Swiss company is fully (or even voluntarily) cooperating with a foreign authority.
Increasingly, Swiss companies have been the target of investigations by US regulatory authorities (Federal Trade Commission, Futures Trading Commission, Securities and Exchange Commission, Department of Justice). A Swiss company's involvement in these regulatory (or administrative) proceedings can broadly be described as falling within one of two categories. Sometimes the Swiss company will itself be responsible for starting those proceedings (eg, as a leniency applicant or whistleblower). In such cases the Swiss company has an interest in proactively cooperating with the competent US authorities. In other cases a Swiss company will find itself defending against allegations raised by US regulatory authorities in proceedings that started either because another company (or employee) blew the whistle or as a result of a complaint.
Swiss rules relating to banking secrecy are excluded from the ambit of this update.
For the purpose of this update, the notion of 'documents' or 'information' is broad, including hard-copy documents, electronic documents, email traffic, chats and tweets.
Forbidden services for foreign states
Article 271(1) of the Penal Code provides that:
"[w]hoever performs, without authorization, acts on Swiss territory for a foreign state which are reserved to a public authority or a public official, whoever performs such acts for a foreign party or any other foreign organization, whoever aids and abets such acts, shall be fined or punished with a term of imprisonment of up to three years, in serious cases with a term of imprisonment of not less than one year."
Article 271 protects Switzerland's territorial sovereignty and aims at preventing foreign states or parties from circumventing international conventions on judicial assistance.
The gathering or taking of evidence in Switzerland for use in foreign proceedings (including any preparatory act performed on Swiss territory) qualifies as an act within the scope of Article 271. This is particularly the case with regard to the interrogation of witnesses (depositions) or the collecting of written witness statements on Swiss territory. The same applies if a party is to produce or obtain documents for use in foreign proceedings which are not in its possession or under its control and must be gathered from a third party in Switzerland.
The assessment under Article 271 of a party submitting its documents is not entirely clear. In an
obiter dictum, the Federal Supreme Court held that a party submitting its (own) documents in foreign proceedings does not constitute an official act but a private act, and thus is not subject to the restrictions set out in Article 271.
(1) However, according to the federal attorney general, any submission must additionally be voluntary (ie, absent of any formal request or order). Whether this requirement will be upheld by the Federal Supreme Court cannot be predicted with any certainty. Until this matter is clarified, there is a real chance of criminal prosecution for any Swiss company submitting its own documents in foreign proceedings on a non-voluntary basis (ie, in response to a foreign order such as a subpoena).
Article 271 applies only to the performance of official acts without proper authorisation. 'Authorisation' in the sense of this provision means:
- a general waiver by way of judicial assistance proceedings according to a specific Swiss federal statute;
- a bilateral or multilateral international convention; or
- in exceptional cases, an authorisation granted on an individual basis – an individual authorisation (if sought) must be applied for by the competent governmental department.
Article 273 of the Penal Code reads as follows:
"Whoever spies out an industrial or business secret in order to make it available to a foreign state agency or a foreign organization or private undertaking or its agents, whoever makes an industrial or business secret available to a foreign state agency or a foreign organization or private undertaking or its agents, shall be fined or punished with a term of imprisonment of up to three years, in serious cases with a term of imprisonment of not less than one year. The prison sentence may be combined with a fine."
Article 273 is designed to protect national public and economic interests at large. The provision penalises any conduct which provides a foreign addressee with the opportunity to gain insight into Swiss business secrets.
A 'secret' within the meaning of Article 273 is any fact which is not publicly known or accessible and which shall be kept secret pursuant to the intention of the master of the secret, provided that this interest in keeping it secret is worth protection. An objective interest in secrecy that is worthy of protection is presumed. The definition of a 'secret' in Article 273 is comparable to that under Article 162 of the code (see below). Moreover, the secret must have a connection to Switzerland, either because it affects Swiss national interests or because the private party whose secrets are protected resides in Switzerland.
In 1977 the federal attorney set out defined guidelines as to what constitutes economic espionage under Article 273. The crucial statements are:
"1. As far as the disclosure is restricted to information with regard to which solely the disclosing person has a secrecy protection interest, the decision on the disclosure of such information can be left to this person.
2. However, according to Article 273 [of the Penal Code], it is forbidden and punishable to inform a foreign entity about economic facts
a) with regard to which there is a (direct) secrecy protection interest of Switzerland as a whole, or
b) with regard to which a third party that has not given its prior formal consent to the disclosure has a secrecy interest worthy of protection."
Thus, a company is free to disclose its own secrets (unless the disclosure harms the direct interests of the Swiss national economy, such as national economic supply in times of war or crisis). By contrast, it is not allowed to disclose the secrets of any Swiss third party. However, to the extent that secrets of a Swiss third party are concerned, such party may consent to disclosure (provided that the disclosure does not harm any direct interests of the Swiss national economy).
While the 1977 guidelines called for prior formal consent, there is a tendency in legal writing today to adopt a more flexible approach and to accept tacit waivers. Thus, if in the circumstances the master of the secret has evidently accepted the risk of disclosure, such a tacit waiver will, most probably, also be accepted as permitting disclosure.
Article 273 does not protect the interests of foreign third parties, even if the disclosing person is domiciled in Switzerland. This applies, in particular, to relations between foreign affiliates of Swiss companies and their business partners, as well as to agreements between parties domiciled in Switzerland and their business partners abroad – provided, however, that such agreements do not contain secrets of other persons or companies domiciled in Switzerland.
Disclosure of secrets does not violate the law if a competent Swiss authority orders disclosure (eg, in the course of judicial assistance proceedings). Conversely, an order by a foreign authority does not justify disclosure. In particular, according to the view of the Swiss government, a person or entity disclosing secrets in compliance with a foreign subpoena (or any other order or threat) is in breach of Article 273. The Swiss government even believes that such foreign pressure – however strong it might be – does not create a state of distress justifying the breach of Article 273. Otherwise, foreign authorities might be tempted simply to increase the pressure until a suitable state of distress is reached.
Violation of an industrial or business secret
A person disclosing a protected secret may also be punished according to Article 162 of the Penal Code, which stipulates that:
"[w]hoever discloses an industrial or business secret which he is bound to keep by law or by contract, whoever takes profit of such disclosure for himself or for any other person, shall, on request, be fined or punished with a term of imprisonment of up to three years."
Article 162 is designed to protect not only private Swiss interests, but also (and unlike Article 273) foreign interests. It prohibits the disclosure of information which has been entrusted by one party to another with the obligation to keep it secret. Therefore, the offender shall be punished only at the request of the master of the secret.
A 'secret' in the sense of Article 162 is any fact, information or document which:
- is not obvious and generally accessible;
- shall not be disclosed because it is not intended to be brought before the public; and
- is worth being kept secret.
The definition of a 'secret' in Article 162 is comparable to that under Article 273.
Industrial secrets relate to the details of production proceedings. They comprise plans, receipts, procedures and similar. Business secrets relate to supply sources, organisation, prices and clients. To be worthy of protection under Article 162, both industrial and business secrets must somehow be able to affect business results. It does not matter whether the secret originates in Switzerland or elsewhere; nor does it matter whether the master or the receiver of the secret is domiciled in Switzerland.
Contrary to Article 273, the business and industrial secrets protected under Article 162 may be violated only by a person who is subject to a statutory or contractual confidentiality obligation (or by any person taking profit of such violation). Contractual secrecy obligations in the sense of Article 162 certainly exist where there is an explicit clause in an agreement.
In Switzerland, the processing of personal data by the private sector is governed by the Data Protection Act and its implementing ordinance. The act is aimed at protecting individuals and legal entities against the misuse of their personal data (ie, all information relating to an identified or identifiable person).
(2)
The act provides certain basic principles of data processing. Thus, personal data may be processed only for the purpose:
- for which it was collected;
- which is evident from the circumstances; or
- which is provided for by law.(3)
Furthermore, according to the principle of proportionality, data processing must not be excessive and must be undertaken in good faith.
(4)
In addition, the act provides that personal data must not be disclosed abroad if the privacy of the persons concerned is seriously jeopardised as a consequence.
(5) Jeopardy is presumed by virtue of law if the country of destination lacks comparable data protection.
If comparable data protection is lacking, data may be disclosed abroad only if one of the requirements set out in Article 6(2) of the act is fulfilled:
- sufficient safeguards ensuring adequate protection, in particular by way of agreement (lit a);
- consent of the data subject in an individual case (lit b);
- direct connection of the processing of a contractual party's data with the conclusion or performance of a contract (lit c);
- disclosure being essential either in order to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts (lit d);
- disclosure being required in order to protect the life or physical integrity of the data subject (lit e);
- the data subject having made the data generally accessible and not having expressly prohibited its processing (lit f); and
- disclosure within the same company or group of companies, if binding corporate rules on data protection are in place that safeguard adequate protection (lit g).
The federal data protection and information commissioner must be informed about the safeguards pursuant to lit a and the data protection rules pursuant to lit g.
(6) The list of constellations in Article 6(2) is exhaustive. In particular, an overriding private interest is insufficient justification for the disclosure of data abroad.
The commissioner keeps a non-binding list of countries which are considered to have data protection equivalent to Swiss law.
(7) The transfer of personal data to a country that does not have comparable data protection is deemed a breach of privacy rights,
(8) unless one of the specific requirements of Article 6(2) is fulfilled.
The United States does not feature on the commissioner's list of countries with data protection equivalent to Swiss law. However, the commissioner agreed with the US Department of Commerce on a US-Swiss Safe Harbour Framework in December 2008.
(9) This framework allows US companies and other organisations to self certify to the Department of Commerce their adherence to specific data protection principles. Data transfer to self-certified companies and organisations is possible without the need for an individual data protection agreement or one of the other requirements under Article 6(2) being fulfilled.
Whoever processes personal data without complying with the act may be sued for violation of privacy rights.
(10) The petitioner may claim, among other things, the declaration of the unlawfulness of the data transfer and damages. In addition, the act stipulates penal sanctions (fines up to Sfr 10,000) for failure to comply with the obligation to inform the commissioner as required under Article 6(3) of the act.
(11) The act does not provide for penal sanctions in case of a violation of its basic principles for processing personal data, except in the case of unauthorised disclosure of secret and sensitive personal data or personality profiles obtained by a person during his or her employment.
(12)
Processing of data on employees
The act also applies to the personal data of employees. In addition, the employer may process the personal data of its employees only in accordance with Article 328(b) of the Code of Obligations, which reads:
"The employer may process data of the employee only to the extent that such data relates to the employee's suitability for the employment relationship or is necessary to perform the employment contract. Furthermore, the provisions of the Federal Data Protection Act of June 12, 1992, shall apply."
Generally speaking, Article 328(b) restricts the processing of data in an employee relationship to job-related data. Notably, this provision is mandatory in favour of the employee – namely, the employee cannot validly consent to the processing of his or her personal data beyond the scope defined by Article 328(b).
A violation of Article 328(b) is deemed a breach of the employment contract and exposes the employer to damages.
There are several statutory provisions to be observed by a Swiss company before documents or data can be transferred abroad in the context of a foreign investigation or proceedings abroad. The observance of those provisions can be a particular nuisance in circumstances where the Swiss company is seeking to cooperate (voluntarily) with a foreign authority's investigation. In that case, care must be taken to seek constructive dialogue with the foreign authority to explain the pertinent legal provisions and the restrictions they place on a Swiss company's ability to cooperate. In particular, it needs to be emphasised to the foreign authority that Swiss law does not prevent cooperation, but that it may delay timely cooperation (eg, because a formal authorisation needs to be obtained before data can be sent abroad). Foreign authorities (particularly in the United States) appear to be receptive to well-meaning explanations and they usually try to accommodate the domestic law restrictions to which a Swiss company may be subject.
Endnotes
(1) BGE 114 IV 128, 131 [1988].
(2) See Article 3(a) of the act.
(3) See Article 4(3) of the act.
(4) See Article 4(2) of the act.
(5) See Article 6(1) of the act.
(6) See Article 6(3) of the act.
(8) See Article 13(1) of the act.
(10) See Articles 12 and following of the act.
(11) See Article 34(2)(a) of the act.
(12) Article 35 of the act.