Media reports are increasingly covering cases of influencers and private individuals filing criminal complaints because deceptively real pornographic photos and videos of them are being created and distributed using artificial intelligence (AI). Given the shocking quality of these forgeries, there is often a perception that Swiss law is lagging behind this development and that a dangerous legal vacuum exists.

This assessment is incorrect. Although the Swiss Criminal Code does not contain a provision titled “deepfake ban,” the Swiss legal system provides a robust set of instruments to effectively defend against this form of digital abuse.

From photo manipulation to AI forgery: a technological escalation

The manipulation of images to degrade individuals is not a new phenomenon. As early as 2018, politician Jolanda Spiess-Hegglin was the victim of manipulated pornographic depictions. At that time, however, these were still relatively simple photo montages.

The key difference today lies in the quality and accessibility of the technology. Modern AI applications enable even laypersons to generate hyper-realistic video and image sequences with minimal effort—so convincing that even close acquaintances can hardly recognize them as fake. This perfection of deception massively amplifies the psychological burden and social harm for those affected.

Criminal law protection against deepfake pornography

Contrary to some opinions, creators and distributors of deepfake pornography do not act with impunity. Several criminal offences according to the Swiss Criminal Code (SCC) may be relevant.

• Identity misuse pursuant to Art. 179decies SCC:
  Anyone who uses another person’s identity without their consent in order to harm them is liable to prosecution.
• Unauthorized dissemination of sexual content pursuant to Art. 197a SCC:
  Anyone who makes non-public sexual content accessible without the consent of the identifiable person is liable to prosecution. This also applies to generated depictions that give the impression of a real recording.
• Pornography pursuant to Art. 197 SCC:
  The Federal Supreme Court interprets the concept of producing pornography very broadly. Even the targeted downloading or saving of content may qualify as an act of production. In the case of content constituting hard pornography (e.g., involving violence or fictitious minors), production and possession for personal use are already punishable. Once such content is made accessible to others, the threshold for criminal liability is clearly crossed.
• Defamation offences pursuant to Art. 173 et seq. SCC:
  Anyone who, contrary to better knowledge, attributes dishonourable conduct to the victim—namely participation in pornographic acts—may be liable for insult, defamation, or calumny.

Naturally, the applicability of these offences must be assessed on a case-by-case basis.

Civil law protection against deepfake pornography

The most effective and direct protection for affected individuals lies in civil law. The creation and dissemination of deepfake pornography constitutes a serious unlawful infringement of personality rights. In particular, the right to one’s own image is fundamentally violated. The Federal Supreme Court has clearly held that no one may be depicted without their consent—especially not in a manipulated, intimate, and degrading context.

Affected individuals have powerful legal tools at their disposal:

• Action for removal: To obtain a court order requiring deletion of content from websites, platforms, and search engines.
• Action for injunction: To prohibit future creation or dissemination.
• Financial claims: Victims are entitled to damages for financial losses and compensation for moral harm suffered.
• Further possible measures under personality rights protection.

Practical challenges in addressing deepfake pornography

What is lacking are low-threshold reporting mechanisms or private initiatives such as #NetzPigCock|, including an online tool against unsolicited explicit images. In addition, many of the websites and platforms on which pornographic content is shared allow users to act anonymously, meaning that perpetrators often remain unknown at first.

It is therefore all the more important to document the relevant content and the accounts involved. This remains crucial for both civil and criminal enforcement against deepfake pornography. At the same time, content and accounts should first be reported to the respective websites and platforms and requested to be removed. Such content often also violates the platforms’ own policies. Knowledge of the perpetrator is not required for criminal proceedings. If the perpetrator is known or if the website or platform does not promptly remove the content, civil action is recommended.

Nevertheless, victim support and advisory services are available in Switzerland to assist affected individuals with various steps. Given the novelty and complexity of the phenomenon, legal assistance is highly advisable.

Conclusion

Deepfake pornography is not a phenomenon without legal remedies. Swiss law provides a dense network of criminal and civil provisions to effectively defend against it. The protection of personality rights under the Civil Code proves to be a central and powerful tool.

Please feel free to contact us with any questions you may have regarding right to the protection of your personality.

A data breach does not begin only when data is being misused. It begins the moment it becomes accessible to unauthorised parties. It is precisely this realisation that makes the recently publicised case involving the parking monitoring companies Funkwache AG and Unisecur GmbH a cautionary tale for businesses with digital business models.

According to media reports, databases containing several hundred thousand entries were accessible via the internet for an extended period. The data reportedly included names, addresses, vehicle details, locations, as well as information on criminal proceedings and penalty orders. The Federal Data Protection and Information Commissioner (FDPIC) has announced that it will investigate the matter.

Regardless of the outcome of the investigation in this specific case, the incident serves as a prime example of where the greatest risks of digital business models lie today: less in spectacular hacker attacks and more in organisational weaknesses, a lack of governance and inadequate information security.

Data protection starts with senior management – not with IT

Many companies still view data protection primarily as a legal obligation or as the responsibility of the IT department. This is not enough.

Companies that offer digital services or process personal data bear responsibility for the entire lifecycle of that data – from collection and storage to deletion. Data protection, information security and governance are not separate disciplines, but are interlinked.

Companies whose business models are based on digital processes or platforms, in particular, should therefore view this case not so much as an isolated incident but as an opportunity to critically examine their own organisation.

One of the key lessons concerns the definition of a personal data breach. Under Swiss law, a breach exists as soon as unauthorised access cannot reasonably be excluded. It is not necessary to demonstrate that personal data has actually been viewed, copied or misused. The mere exposure of confidential information through an unsecured administrative interface may already constitute a personal data security breach.

Side note: What is a data breach?

Seven lessons for businesses from the data breach

1. Information security is a legal obligation

This case clearly demonstrates that fundamental security measures are not merely technical recommendations.

Under the Data Protection Act, personal data must be protected by appropriate technical and organisational measures. These include, amongst other things, access controls, authentication, secure system architectures, and up-to-date vulnerability and patch management. For public authorities, organisations subject to specific obligations and certain companies, applicable laws such as the ISG or standards such as ISO 27001 or BSI IT Grundschutz apply to information security.

The much-cited principle of ‘security through obscurity’ – that is, the hope that no one will ever find a technical vulnerability – does not meet today’s requirements.

The incident further illustrates that technical and organisational measures must be implemented consistently throughout the entire lifecycle of digital systems. Secure authentication, access management, encryption, software maintenance, vulnerability management, logging, penetration testing and secure system configuration are no longer optional—they represent fundamental elements of responsible data governance.

2. Sensitive data requires a particularly high level of protection

It is particularly significant that, according to media reports, information relating to criminal proceedings and summary penalties is also said to have been affected.

Under the Data Protection Act, such information is classified as personal data requiring special protection. Consequently, the requirements regarding access control, encryption, logging and organisational controls are significantly heightened.

The more sensitive the data, the higher the requirements for its protection.

3. Outdated systems pose a compliance risk

Another issue concerns the software platform apparently in use, the development and support for which are said to have been discontinued years ago.

Outdated software does not automatically constitute a data protection breach. However, if known security risks are no longer addressed or security updates are permanently unavailable, this can lead to legal complications.

Lifecycle management and regular security updates are therefore just as much a part of compliance today as traditional data protection policies.

4. Data must not be collected indefinitely

The scope of the information stored also raises questions regarding data minimisation.

According to the reports, some data records are said to date back as far as 2001. Whether such a long period of storage was necessary and proportionate in each case will have to be assessed on a case-by-case basis.

However, the Data Protection Act requires adherence to a simple principle: personal data may only be processed and retained for as long as is necessary for the specific purpose.

5. Data protection does not end with outsourcing

The case is particularly interesting because it appears that the same software platform or technical infrastructure was used by several companies.

A common misconception often arises, particularly in relation to cloud solutions, SaaS offerings or outsourced IT services: outsourcing IT does not mean that responsibility for data protection is also outsourced.

Even when using external providers, companies remain responsible for compliance with data protection regulations. This includes, in particular, the careful selection of the service provider, clear contractual arrangements, appropriate technical and organisational measures, and ongoing monitoring of the outsourced services.

You can find out more on our ICT outsourcing page and in our specialist article on ICT outsourcing.

6. Incident response is part of corporate governance

Equally noteworthy is the statement by the FDPIC that, at the time of the media reports, it had apparently not received any notification of the data breach.

Where there is a high risk to the privacy or fundamental rights of data subjects, the Data Protection Act generally requires companies to inform the FDPIC of the data breach as soon as possible.

Whether these conditions were met in this specific case will be the subject of further investigations.

Regardless of this, the case highlights how important effective incident response processes are today. Companies should not wait until a crisis arises to clarify who decides whether there is a reporting obligation and how quickly the relevant procedures must be triggered.

7. Data protection also safeguards reputation and trust

Perhaps the most important lesson, however, lies outside the text of the law.

Even if a technical incident can be resolved quickly, the loss of trust often persists for much longer. Today, customers, business partners and investors assess not only products or services, but increasingly also how data is handled professionally.

Data protection and information security have therefore long since become an integral part of responsible corporate governance and effective risk management.

Key takeaways for management

The case of Funkwache AG and Unisecur GmbH serves as a prime example of how data breaches today are often not caused by highly complex cyberattacks, but by avoidable organisational and technical weaknesses. For companies with digital business models, this points to clear areas for action:

• Information security is a management responsibility and not solely the remit of IT.
• Personal data requiring special protection necessitates enhanced technical and organisational safeguards.
• A data security breach occurs as soon as unauthorised access becomes possible – not only once data misuse has been proven.
• Outdated software and a lack of lifecycle management can lead to compliance risks.
• Data minimisation and limited retention periods are key principles of legally compliant data management.
• ICT outsourcing does not relieve companies of their responsibility for data protection and information security.
• Clear reporting and incident response processes are now an integral part of effective corporate governance.

Companies that integrate data protection, information security and digital governance at an early stage do more than simply meet legal requirements. They build trust among customers, employees and business partners – thereby strengthening the long-term resilience of their digital business model.

If you have any questions regarding your digital business model, data protection or ICT outsourcing, please do not hesitate to contact us for an initial, no-obligation discussion.

Data protection law protects individuals – but not every individual who invokes data protection law. The ECJ has made it clear: anyone, that does not use the right of access to monitor their own data, but instead deliberately uses it as a lever to pursue claims for damages, forfeits that protection. 

CJEU JUDGMENT (Brillen Rottler) C-526/24 OF 19 MARCH 2026 

Facts of the case 

In March 2023, TC subscribed to the newsletter of a German optician (Brillen Rottler). Just 13 days later, he submitted a request for access under Article 15 of the GDPR. The company refused to provide the information, citing publicly available information purportedly demonstrating a systematic approach on the part of TC: signing up for services -> request for information -> claim for damages. TC brought an action seeking payment of at least EUR 1,000 in compensation. 

Key Holdings 

• Even a first request for information may be deemed “excessive”: Article 12(5) GDPR permits refusal not only in the case of repeated requests, but also in respect of a single initial request, provided that an abusive intent can be established. What matters is not the frequency of requests, but the intent of the applicant.  

• Burden of proof lies with the controller: If the company wishes to reject a request for information on the grounds that it is abusive, it bears the full burden of proof – and this is a two-stage process. First, it must objectively demonstrate that, despite being formally correct, the request does not serve the actual purpose of the right to information, namely the monitoring and verification of its own data processing. It must then subjectively prove that the applicant intended from the outset to artificially create the conditions for a claim for damages. 

• Public sources as evidence: The company may use publicly available information (e.g. media reports, blog posts about known ‘data protection trolls’) to support its case, provided such information is corroborated by further evidence.   

• Compensation even without unlawful data processing: Article 82(1) of the GDPR grants a right to compensation not only in the event of unlawful data processing, but also in the event of a mere breach of the right of access under Article 15 of the GDPR. The infringement of procedural rights in itself gives rise to liability. 

• Non-material damage – not automatic: The loss of control over data or uncertainty regarding its processing may constitute non-material damage. However, compensation is not payable if the causal link is broken by the data subject’s own conduct – in particular, if they have deliberately provoked the breachin order to generate a claim.   

SCOPE OF THE RIGHT OF ACCESS (Art. 15 GDPR) – WHAT IS COVERED, WHAT IS NOT? 

Covered by the right of access (Art. 15 GDPR) 

• The right to know whether personal data is being processed at all.   

• Where data is being processed: information regarding the data itself, the purposes of processing, categories of data, recipients, retention period, the origin of the data, and any automated decision-making. 

• The right to exercise access free of charge and, as a rule, within one month. 

• Compensation for non-material damage resulting from the infringement of the right of access (including loss of control and uncertainty regarding processing) 

Not covered by the right of access or not worthy of protection 

• Requests for information that do not serve the purpose of monitoring one’s own data processing, but are made abusively to obtain compensation. 

• Compensation where the data subject has caused the damage (e.g. loss of control) through their own abusive conduct – the causal link is broken.   

• Compensation without proof of actual damage incurred – no automatic entitlement arising from the mere infringement. 

CONSEQUENCES FOR SWITZERLAND AND ITS JUDICIAL PRACTICE 

Relevance for Switzerland 

Although the GDPR does not apply directly in Switzerland, the revised Data Protection Act (FADP, in force since 1 September 2023) is closely aligned with European requirements. Swiss courts regularly refer to the GDPR and ECJ case law as an aid to interpretation for the EU-compatible application of the FADP.   

Strengthening of the prohibition of abuse of rights (Art. 2 of the Swiss Civil Code) 

The judgment confirms and reinforces the application of Art. 2(2) of the Swiss Civil Code (“The manifest abuse of a right shall not be protected by law”) in data protection law. Swiss courts are likely to adopt the logic of the ECJ: it is not the number of requests, but the improper intention that is decisive.  

Art. 26(1)(c) FADP permits the refusal of access in the case of ‘manifestly vexatious’ requests or those with a purpose contrary to data protection. The ECJ judgment provides valuable criteria for the practical application of this provision. 

Key difference: Higher threshold for compensation (Art. 32(3) FADP) 

Whilst the ECJ recognises the loss of control as a potentially compensable non-pecuniary loss, Art. 32(3) FADP requires a serious infringement of personal rights for a claim for compensation. The mere refusal to provide information or the associated uncertainty is unlikely to meet this threshold in Switzerland in most cases. 

This represents a significantly higher hurdle for ‘data protection trolls’ in Switzerland than under EU law and is likely to render the business model of systematic requests for information for the purpose of obtaining damages largely unattractive in Switzerland. 

Consistency regarding the causal link   

The ECJ’s comments on the interruption of the causal link by the conduct of the person concerned are fully consistent with the principles of Swiss tort law (contributory negligence). Anyone who deliberately provokes a breach forfeits their claim.   

CONSEQUENCES FOR BUSINESSES 

The judgment is not a free pass to reject requests for information across the board – the burden of proof for misuse lies entirely with the company. Incorrect or delayed information opens the door to claims for damages – regardless of whether the request was made in good faith or abusively.    

For Swiss companies, there is the additional factor that the revised FADP has imposed comparable disclosure obligations since September 2023. Whilst the threshold for claims for compensation is higher than under EU law, this does not relieve companies of the obligation to provide timely and complete information. 

In practical terms, it is therefore advisable to streamline information processes and assign responsibilities clearly within the organisation, to formulate responses in a comprehensible manner rather than simply providing raw data, and to structure data management in such a way that information can be provided quickly and in full. 

CONCLUSION 

With its ruling, the ECJ has drawn an important line against the abuse of the right of access under data protection law: anyone who requests information under Article 15 of the GDPR not to monitor their own data processing, but specifically to construct claims for damages, is acting abusively – and forfeits both the right to access and the right to compensation. ForSwitzerland, the ruling confirms the application of the prohibition of abuse of rights (Art. 2 of the Swiss Civil Code) in data protection law. At the same time, the Swiss Data Protection Act (FADP) sets the bar even higher than EU law by requiring a serious infringement of personal rights for claims for compensation, which makes the business model of “data protection trolls” unattractive.    

Smartphones are now often the central evidence hub in criminal proceedings. Almost everyone carries one, which makes them one of the most important data carriers for investigators. That is precisely why access to them must never become a legal vacuum; an effective sealing procedure upon seizure is needed as a safeguard for privacy, personality rights, and professional secrecy.

Law enforcement is under pressure to review digital evidence quickly, while affected individuals often can only challenge a search with a significant delay. That tension is exactly what makes sealing so essential.

Why this issue matters now

Recent media reporting points to a marked rise in sealing-related proceedings involving smartphones; in Zurich alone, the number is said to have increased by 75 percent. At the same time, the federal authorities are working on more efficient procedures for securing electronic evidence while expressly emphasizing data protection and procedural rights.

This shows two things: digital evidence has become indispensable for criminal prosecutors, but the rule-of-law safeguards must operate with equal seriousness. If sealing and unsealing are not handled promptly and carefully, irreparable intrusions into highly sensitive personal data can follow.

The role of sealing

Sealing is not a technical footnote; it is a core procedural safeguard for sensitive information upon seizure. Anyone whose devices or documents are seized and who invokes confidentiality interests can request that the contents remain sealed until a court decides whether inspection is allowed.

This is especially important for smartphones, because they often contain an exceptionally broad digital footprint: chats, photos, health data, location history, work documents, and private communications. A search therefore almost inevitably interferes with privacy and must be justified with particular care.

What the court must assess

In unsealing proceedings, the question is not simply whether the public prosecutor would like to review the data. The compulsory measures court must also determine whether there is sufficient suspicion of an offence and whether the search is proportionate.

This review is crucial in digital cases because the interference is so far-reaching. Authorities must not access an entire device on a blanket basis if the relevant information can already be narrowed down more precisely, or if protected secrets outweigh the investigative interest.

Current developments and practical problems

The current debate around digital evidence reveals a structural problem: proceedings often take too long, even though digital data can quickly lose evidentiary value or appear in massive volumes. At the same time, the affected person’s duty to cooperate is sometimes applied too strictly in practice, although the Federal Supreme Court has stressed in relevant cases that substantiated disclosures can be sufficient.

Added to this is the new statutory three-day deadline for filing a sealing request after seizure, which has been described in legal commentary as a significant tightening and a potential trap. Missing that deadline, or failing to justify the request properly, can mean the irreversible loss of protection.

Why this matters for personality rights

The right to sealing protects not only lawyers, journalists, and other holders of professional secrecy, but ultimately every person whose most intimate life domains are stored on a device. A smartphone search often provides a comprehensive view of someone’s digital life, far beyond what is relevant to the criminal proceedings.

For that reason, the rule of law must not weaken the sealing mechanism simply because some courts have not yet fully adapted to the pace of technological change. The correct response is not less legal protection, but more precise procedures, faster judicial review, and stricter reasoning requirements for any intrusion.

Conclusion

In digital criminal proceedings, sealing is not a luxury; it is a rule-of-law necessity. Especially with smartphones and other data carriers, it determines whether privacy remains effectively protected or whether sensitive data are disclosed too early.

Anyone who wants to make searches of digital devices easier must not gradually dismantle the protection of affected persons. A functioning sealing procedure is the condition for keeping criminal prosecution, personality rights, and privacy in fair balance.

Artificial intelligence (AI) has long been part of our everyday lives. AI has become indispensable in schools, universities and businesses. Given the rapid development of artificial intelligence and its increasing presence in everyday life, it is becoming increasingly important to examine its opportunities and risks.

On February 23, 2026, the Federal Data Protection and Information Commissioner and around 60 other national data protection authorites worldwide published a joint statement on AI-generated images. This statement marks an important step in the international discussion on privacy and data protection in the digital age.

Deepfakes and AI: Why Data Protection Authorities Worldwide Are Issuing Warnings

Data protection authorites have expressed serious concerns about systems that use artificial intelligence to generate realistic images or videos of identifiable individual without their consent. Such technologies carry a high risk of abuse, for example through the creation of non-consensual, intimate depictions (known as deepfakes). Childern and other vulnerable groups are particularly at risk of becoming targets of cyberbullying, sexual exploitation or identity theft.

Laws in Switzerland: Are AI-generated images permitted?

In many juristictions – including Switzerland – the creation or distribution of images that have not been created with consent can have criminal consequences. From a data protection perspective, that use of AI systems to create realistic images raises significant questions regarding the legality of data processing and the protection of privacy. Personal data my only be used if there is a legal basis for doing so or if the data subject has given their expressed consent. Companies offering such systems must ensure that appropriate technical and organizational measures are taken to prevent misuse and unauthorized processing.

Recommendations for working with AI

The joint statement by the data protection authorities sets out several key principles that all organizations should follow:

• Impementation of robust protective measures to prevent the misuse of personal data and the creation of non-consensual intimate depictions and other harmful content, especially involving children.
• Ensuring meanigful transparency regarding the capabilities of AI systems, the protective mechanisms implementet, permissible uses, and the potential consequences of misuse.
• Provision of effective and easily accesible procedures through which data subjects can request the removal of harmful content relating to them.
• Special protection for children and other vulnerable groups.

Conclusion: Techological progress requires responsibility

The risks posed by AI-generated images are global and require urgent regulatory action. While AI offers enormous opportunities, technological progress must not come at the expense of privacy, data protection and other fundamental rights.

Our law firm advises businesses on the legally compliant use of AI and on data protection issues. Please feel free to contact us with any questions regarding generative AI, data protection and your digitalisation projects..

In its ruling of 6 October 2025, the Federal Administrative Court upheld the FDPIC’s decision on the ‘Pfarrer-Check’ database and clarified the application of the revised Data Protection Act (DPA) to publicly accessible personal data.

The decision provides important clarity for operators of online platforms, directories and campaign websites when dealing with personal data from the internet.

An overview of the Federal Administrative Court ruling A-2941/2024

In its ruling of 6 October 2025, A-2941/2024, the Federal Administrative Court upheld the decision of the Federal Data Protection and Information Commissioner (FDPIC) in the so-called ‘Pfarrer-Check’ case. In the court’s opinion, the public recording of over 6,000 church officials in an online database without their consent violates the revised Federal Act on Data Protection (FADP).

Facts of the ‘Pfarrer-Check’ case

The association ‘Bürgerforum Schweiz’ operated a publicly accessible database on its website containing personal data on over 6,000 individuals from the church community. The database contained names, places of residence and postcodes, employers or religious denominations, fields of activity, positions and a status (‘recorded’, “requested”, ‘responded’) in connection with a questionnaire on religious views.

According to the operator, the purpose of the database was to enable a distinction to be made between ‘genuine’ and ‘watered-down’ churches. In its ruling of 9 April 2025, the FDPIC ordered the deletion of the entries published without the consent of the persons concerned. The association lodged an appeal against this ruling, which the Federal Administrative Court did not admit.

Applicable law & procedure

The court first confirmed that the revised Federal Data Protection Act (FADP, in force since 1 September 2023) is applicable. The decisive factor is the date on which the formal investigation was opened; mere informal preliminary investigations and responses to enquiries do not constitute a pending investigation within the meaning of transitional law.

The complainant alleged that the lower court had violated her right to inspect the files by only making the reports available to her in anonymised form. However, the court considered the EDÖB’s action to be lawful: the public interest in effective data protection supervision outweighs the operator’s interest in the identity of the whistleblowers.

Key material points (data protection principles and justification)

Proportionality

In the court’s opinion, publishing the status ‘recorded’ or ‘requested’ was neither appropriate nor necessary to achieve the purpose stated by the association (distinguishing between “genuine” and ‘fake’ churches). The information that someone has received a questionnaire but has not answered it leaves room for interpretation without offering any objective added value for the purpose of data processing.

Limitation of Purpose

The individuals concerned had published their contact details on their institutions’ websites so that they could be contacted in connection with their professional activities. The mere fact that the data is publicly accessible does not mean that it may be used for any purpose, in particular for an evaluative campaign database. The court qualifies the use for the ‘Pfarrer-Check’ as a change of purpose that was not apparent to the persons concerned.

Transparency

The persons concerned must be actively and clearly informed about the actual data processing. This did not happen. In particular, the persons concerned were not sufficiently informed that their data would be published even if they did not complete the questionnaire. A mere reference to the operator’s website does not satisfy the transparency requirements of the DPA. Active, comprehensible information about the nature, purpose and scope of the data processing is required.

Justification

The court denies the existence of a justification within the meaning of Article 31 of the FADP. Neither was there valid consent, nor could the association invoke a legal basis or an overriding public interest. A self-defined ‘public interest’ without any basis in law or the constitution is not sufficient to justify serious violations of privacy.

The appeal to Article 31 para. 2 of the FADP (person of public interest) is also unsuccessful. In weighing up the interests, the court considers the status ‘requested’ to have a high potential for infringement because it allows negative speculation about the attitude and integrity of the person concerned, while the status ‘recorded’ only has a medium intensity.

The court therefore concludes that the complainant has unlawfully infringed the personality rights of the persons concerned.

Significance of the judgment in practice

Since the new FADP came into force, the FDPIC has already carried out numerous low-threshold interventions and issued more than 14 formal investigations in the form of rulings. Only four of these rulings have been challenged before the Federal Administrative Court to date. The decision thus shows that the courts fundamentally support the FDPIC’s approach and consistently enforce the basic principles of data protection law, even in the case of publicly accessible online data.

The decision sends a clear signal to operators of online databases, directories, campaign and rating platforms: even if data is publicly accessible, proportionality, purpose limitation, transparency and a viable obligation to justify remain central.

Our experts in data protection and ICT law assist organisations in the legally compliant design of online platforms, websites and projects under the revised DPA.
Get in touch with us for an initial consultation on matters of Data Protection.

Under Swiss law, protection of privacy entails both civil and criminal law mechanisms to protect a person’s honour, reputation and integrity from unlawful attacks. The case involving the Swiss People’s Party (SVP) in Lucerne and former party member Yves Holenweger¹ illustrates how media reports can be legally relevant and what options those affected have to protect themselves.

Civil law protection of personality rights

Civil law provides comprehensive protection of personality rights in accordance with Art. 28 et seq. of the Swiss Civil Code. This protection covers physical and psychological aspects, as well as honour, privacy and economic reputation.

• A violation is considered unlawful if it is not justified by consent, higher interests or the law.
• Those affected may demand that the violation be stopped, remedied or determined by a court.
• Claims for damages, compensation or counterstatements are also often available, especially in the case of media publications.

In the case of media-effective criticism, as in the present case, the person concerned can, for example, demand a counterstatement or take legal action to prevent and remove a defamatory statement.

Criminal law protection of personal rights

Criminal law applies in cases of particularly serious violations of personal rights, such as defamation, slander or verbal abuse.

• Defamation (Art. 173 SCC): Anyone who accuses another person of dishonourable or reprehensible behaviour to third parties may be prosecuted if the statement is not proven or justified. A criminal offence is therefore committed when someone spreads false information about another person that damages their reputation. In such cases, the public prosecutor’s office may issue a penalty order, as was done in the case mentioned above.
• Willful Defamation (Art. 174 SCC): Anyone who, against their better judgement, accuses or suspects someone of dishonourable behaviour or spreads such accusations may be prosecuted if these accusations damage the person’s reputation. The deliberate dissemination of false facts that cast a person in a bad light is therefore punishable by law. This offence is more serious and can lead to higher penalties.
• Criminal prosecution protects the right to honour and reputation and also includes protection against damage to reputation in public and media reporting.
• Negligent or deliberate false statements are punishable by fines or even imprisonment.

Here too, the person affected can initiate civil proceedings in parallel in order to additionally mitigate the consequences of a criminal offence under civil law.

Effective protection of privacy: Legal action and recommended measures in cases of defamation, damage to reputation and media coverage

The example of the defamatory press release signed by Dieter Haller, then president of the Lucerne City SVP, and Timo Lichtsteiner, then and now vice-president, illustrates how personality rights protection works.

• Those affected by defamatory statements or media reports should promptly check whether there is a justifiable reason and, if not, consider seeking legal assistance for civil and criminal proceedings.
• Particularly in the case of political criticism or public reporting, it is essential to carefully weigh up the interests involved (freedom of expression vs. protection of personality rights) – courts often weigh up the public interest against the rights of the individual.

The Holenweger affair shows how personal attacks can quickly turn into a legal dispute over honour and personality rights. A specialised law firm offers competent support in dealing with such complex cases and ensures that the rights and interests of those affected are protected in an objective and efficient manner.

Find out more about the protection of personality rights in civil and criminal law here.

1. https://www.luzernerzeitung.ch/zentralschweiz/stadt-region-luzern/artikel-ld.4016595 last visited on 23 September, 2025. ↩︎

In its ruling, the court refuses to unseal seized data carriers and documents belonging to a journalist, thereby strengthening freedom of press. The current decision of the Zurich District Court of 2 July 2025 deals with the unsealing of seized data carriers and documents in the case of Inside Paradeplatz journalist Lukas Hässig, after the journalist correctly filed for sealing on the grounds of protecting his sources. The decision of the Compulsory Measures Court shows the conditions under which a request for unsealing is approved or, as in this case, not approved.

Facts and background of the Hässig case

The focus is on an investigative journalist, editor of the Inside Paradeplatz platform. He is accused of sharing information and data from Bank Julius Bär & Co. AG, which is subject to banking secrecy and/or trade secrets, in his magazine ‘Inside Paradeplatz’. In connection with the resumption of criminal proceedings against the respondent for an offence under Article 47 Banking Act, a search was carried out at his home and place of work. Various items and data carriers were seized. Referring to the protection of journalistic sources, the respondent requested that all seized items be sealed.

The public prosecutor’s office then filed a request for unsealing with the Compulsory Measures Court of the Zurich District Court. The respondent commented on the request for unsealing and requested that it be dismissed.

Note: The judgment shows that the criminal investigation by the public prosecutor’s office had already been suspended twice. In the most recent suspension order, the public prosecutor’s office itself had denied the admissibility of a search on the grounds of source protection, which the court took up in its judgment.

Legal requirements for unsealing

A request for sealing is used to assert permissible confidentiality interests pursuant to Article 248 para. 1 of the Swiss Criminal Procedure Code when searching records. Once the request for sealing has been filed, the criminal authority first seals the seized data carriers and documents. In the unsealing proceedings, the Compulsory Measures Court is then obliged to examine any objections to the admissibility of the search. A general decision must therefore be made as to whether the search is admissible.

A search of records within the meaning of Article 246 ff. Swiss Criminal Procedure Code, i.e. ‘documents, audio, video and other recordings, data carriers and equipment for processing and storing information’, is permissible if:

• The items are subject to a seizure (Art. 246 Swiss Criminal Procedure Code)
• There is sufficient suspicion of a crime (Art. 197 para. 1 lit. b Swiss Criminal Procedure Code)
• It is proportionate with regard to the constitutionally protected sphere of intimacy and privacy (Art. 197 para. 1 lit. c Swiss Criminal Procedure Code)

According to Article 246 of the Swiss Criminal Procedure Code, documents, audio, video and other recordings, data carriers and equipment for processing and storing information may only be searched if there is reason to suspect that information subject to seizure is contained in these items. According to Article 263 para. 1 of the Swiss Criminal Procedure Code, items and assets that are used as evidence (lit. a) are subject to seizure if they are needed to secure procedural costs, fines, penalties and compensation (lit. b), if they are to be returned to the injured party (lit. c), confiscated (lit. d) or used to cover claims for compensation by the state in accordance with Article 71 of the Swiss Criminal Code.

Unlike the court of law, the Compulsory Measures Court does not have to exhaustively weigh up all incriminating and exonerating evidence. What is required is a sufficiently concrete probability that the alleged offence was actually committed. According to the highest court ruling, reasonable suspicion can be equated with the concept of initial suspicion pursuant to Article 309 para. 1 lit. a of the Swiss Criminal Procedure Code.
Compared to pre-trial detention (Art. 224 ff. Swiss Criminal Procedure Code), the unsealing and searching of records appears to be significantly less intrusive. The requirements for reasonable suspicion are therefore less stringent. Reference can be made to substantiated criminal complaints or reports. The grounds for suspicion must be examined on the basis of the results of the investigation to date.

Furthermore, the Compulsory Measures Court must weigh up the interests involved and examine whether the house search and the search of the sealed data are proportionate to the constitutionally protected intimate and private sphere of the respondent.
The owner of the records or objects may request sealing if there are obstacles to seizure in accordance with Article 264 of the Swiss Criminal Procedure Code (Art. 248 Swiss Criminal Procedure Code). These obstacles to seizure also prevent the unsealing of previously sealed records and objects.

When assessing the proportionality of this compulsory measure, the severity of the offences under investigation is also taken into account (Art. 197 para. 1 lit. d Swiss Criminal Procedure Code).

Considerations of the coercive measures court in its ruling of 2 July 2025

No reasonable suspicion

The criminal investigation against the respondent has now been ongoing for six years. The investigation files do not indicate that the suspicion against the respondent has intensified in recent years or at least months. The Compulsory Measures Court finds that no suspicion against the respondent can be established, even to a minimal degree. Sufficient suspicion is denied.

Proportionality and source protection

The public prosecutor’s office argues that the respondent cannot invoke source protection under Art. 28a para. 1 of the Swiss Criminal Code and Art. 172 of the Swiss Criminal Procedure Code and thus a right to refuse to give evidence. The Compulsory Measures Court argues that the respondent acted in the interests of society and fulfilled his duty as an investigative journalist. It considers the priority given to criminal prosecution and possible punishment for a breach of banking secrecy over the legitimate right of the public to be informed about alleged far-reaching violations of the law in the financial sector to be manifestly wrong. According to the Compulsory Measures Court, the interest in prosecution in this case is not sufficiently weighty to outweigh the protection of sources. The proportionality of the search must also be denied.

Finally, the Compulsory Measures Court finds that the conditions for unsealing and searching the seized data carriers and documents are not met.

Significance for the media, lawyers and those affected

The ruling thus rightly emphasises the high hurdles for interference in journalistic work. Source protection enjoys strong protection in Switzerland, as it is enshrined in the Constitution and the ECHR. Finally, criminal proceedings such as the unsealing and searching of records require careful consideration of the interests involved – especially in the case of media professionals.

For affected journalists and media companies, this means that access to confidential data is only permitted in exceptional cases where there are concrete and serious grounds for suspicion of criminal activity.

Our law firm provides advice on criminal procedure law, media law, source protection and the enforcement of personal rights. Please feel free to contact us without obligation if you have any questions about criminal proceedings and the search of records.

FAQ Criminal proceedings and sealing:

1. How does the sealing of data carriers or documents occur in criminal proceedings?

Seized data carriers or documents are sealed if the person concerned claims that the contents of the records are subject to special protection, for example due to professional secrecy (e.g. protection of journalistic sources, lawyers, doctors). Sealed data may only be searched after a court decision has been made.

2. Under what conditions can a request for unsealing be successful?

To this end, the public prosecutor’s office submits a request for unsealing to the Compulsory Measures Court. Unsealing is possible if there is concrete and sufficient suspicion against the person concerned and the search appears proportionate to their fundamental rights. The Compulsory Measures Court always examines the proportionality and the suspicion.

3. What is the right to refuse to give evidence and who can invoke it?

The right to refuse to give evidence allows certain professional groups – e.g. lawyers, journalists, doctors – to refuse to testify and to keep their sources or client data confidential. This protection applies as long as they are not suspected of having committed serious crimes themselves.

The right to refuse to give evidence allows any person to refuse to testify during questioning for their own protection (Art. 169 Swiss Criminal Procedure Code) or to protect personal relationships such as their spouse or close relatives (Art. 168 Swiss Criminal Procedure Code). However, sealing is only protected under Art. 264 of the Swiss Criminal Procedure Code in cases of qualified confidentiality protection, e.g. items and documents from another person’s communications with their lawyer.

4. Is the protection of journalists’ sources also guaranteed in court?

Yes, journalists can invoke source protection. Courts and public prosecutors may only seize and unseal their data in exceptional cases – namely when there are clear indications of a criminal offence and public interests, namely in the criminal investigation, outweigh other considerations.

5. What can I do if I receive a summons to appear as a witness but wish to refuse to provide information?

You must attend the appointment, but you can exercise your right to refuse to give evidence if you are bound to secrecy as a relative or because of your profession. Inform the authorities of this in good time and seek legal advice if necessary.

Switzerland is strengthening its claim to be one of Europe’s leading centres of innovation. ETH Zurich plays a central role in this as a driving force. Three recent developments emphasise the country’s technological potential and digital sovereignty (personal selection):

• the development of a publicly accessible large language model (LLM) for data protection-compliant AI applications,
• ETH’s participation in the Swiss Chip Fablab to strengthen national semiconductor expertise in the Dübendorf Innovation Park,
• and the initiative surrounding the ETH Earth Observation Centre in the Canton of Lucerne, which is providing targeted impetus in Central Switzerland.

All projects symbolise an innovation strategy based on scientific excellence as well as entrepreneurial scalability, sustainable infrastructure and regulatory foresight.

Digital sovereignty: The ETH large language model for public use

The LLM, launched by ETH Zurich, is the first AI technology to be tailored to Swiss legal requirements, multilingualism and the highest data protection standards. It is the result of a collaboration between EPFL and ETH Zurich and was trained on the ‘Alps’ supercomputer at the Swiss National Supercomputing Centre (CSCS). For companies, administrations and, in particular, SMEs that value data-secure processes, this opens up new possibilities in the areas of automation, information indexing and modern customer interaction – without having to rely on global cloud platforms. This development illustrates how technological progress and location policy can be combined. Switzerland is thus positioning itself as a pioneer for trustworthy and independent digitalisation in both the public and private sectors.

Semiconductor expertise in the heart of Europe: the Swiss Chip Fablab

ETH Zurich is also marking a milestone in the area of hardware and semiconductor development: the planned participation in the Swiss Chip Fablab in the Dübendorf Innovation Park will create a network that combines research, development and production at a geopolitically secure, reliable location. The aim is to strengthen the resilience of supply chains and establish independent semiconductor expertise – a key concern in times of global uncertainty. It does not serve as an alternative to AI processor chips, which are predominantly manufactured in Taiwan, but rather to develop highly specialised chips for applications such as energy, mobility, medicine or communication. The Fablab offers start-ups, established companies and international partners access to state-of-the-art infrastructure, support with regulatory issues and the opportunity for strategic networking.

New ETH hub for the canton of Lucerne: strengthening the region and promoting innovation

Thanks to the CHF 100 million donation from the Jörg G. Bucherer Foundation to the ETH, an earth observation centre is to be built in the canton of Lucerne. Emmen/Viscosistadt, Horw around the University of Applied Sciences or Hochdorf are being discussed, for example. This shows how the power of innovation can be strengthened in a targeted manner and promoted in a decentralised manner. Such an ETH hub creates new opportunities for companies and start-ups in Central Switzerland to enter into direct dialogue with research and teaching – and sends out a strong signal for the attractiveness of Emmen as a location for technology and innovation. The regional anchoring of technological excellence contributes to the broad development of innovation potential and the utilisation of synergies between science and business.

What does this mean for companies, investors and entrepreneurs?

For technology-orientated companies, investors and innovative entrepreneurs, new opportunities for collaboration arise, but also complex regulatory issues:

• How can AI solutions be integrated in a legally compliant and data protection-compliant manner?
• What legal requirements need to be observed when researching, developing and exporting sensitive technologies?
• How can innovation and compliance be optimally balanced in international competition?

As a boutique law firm from Lucerne specialising in data protection law, digital business models and commercial law issues, we assist companies, authorities and institutions with all the challenges of digital transformation. Our team supports you in all matters relating to data protection and IT projects, as well as in commercial law issues such as corporate governance, restructuring and M&A. We emphasise legally compliant innovation, regulatory compliance and pragmatic implementation. From data protection impact assessments and licence agreements to cross-company transformation, you benefit from our expertise in the digital and business environment.

Contact us for questions about digital business models.