CADE Hub Topics Events Updates Resources Actors

Switzerland confirms existing data protection law applies to AI systems

This clarification, issued on 8 May 2025, emphasises that despite the rapid evolution of AI technologies, Switzerland’s existing data protection framework already provides regulatory oversight for AI applications without requiring immediate specialised legislation.
Switzerland confirms existing data protection law applies to AI systems

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has recently reaffirmed that the current Federal Data Protection Act (FADP), in force since 1 September 2023, is directly applicable to artificial intelligence (AI) systems processing personal data. This clarification, issued on 8 May 2025, emphasises that despite the rapid evolution of AI technologies, Switzerland’s existing data protection framework already provides regulatory oversight for AI applications without requiring immediate specialised legislation.

Switzerland’s regulatory landscape

Switzerland has emerged as a significant player in the global AI industry, with considerable patent and startup activities across healthcare, finance, manufacturing, and robotics sectors. Despite this growth, Switzerland currently lacks specific laws or regulations that directly govern AI. The Swiss approach to technology regulation has traditionally been characterised by technology-neutrality, allowing existing legal frameworks to accommodate new innovations without requiring immediate specialised legislation.

Unlike its neighbouring European Union countries, Switzerland is not directly subject to the EU AI Act, giving it regulatory flexibility while maintaining its position as an innovation hub. The Federal Act on Data Protection serves as the primary legal framework applicable to AI systems that process personal data within Swiss jurisdiction. 

Technology-neutral legal framework

The Swiss legal system is built on the principle of technology neutrality, allowing existing laws to apply to new technologies without requiring immediate specialised regulation. The Federal Act on Data Protection, was designed with this principle in mind, ensuring its applicability to emerging technologies like AI. This revision aligned Swiss data protection standards with both Convention 108+ of the European Council and the EU General Data Protection Regulation (GDPR), securing Switzerland’s adequacy status with the European Commission.

The FDPIC has consistently maintained that this technology-neutral approach means the data protection legislation naturally extends to AI applications. The November 2023 statement by the FDPIC first clarified this position, which has now been reinforced by the May 2025 communication. This consistency provides regulatory certainty for businesses operating in Switzerland while ensuring consumer protection.

Transparency requirements

The FDPIC has placed particular emphasis on transparency as a cornerstone principle for AI regulation under the existing FADP. According to the FDPIC’s interpretation, transparency requirements are ‘closely linked’ to the right to object to automated data processing and to other data subject rights relevant to automated individual decisions. These requirements introduce specific obligations for entities developing and deploying AI technologies in Switzerland.

Disclosure requirements for synthetic media

The FDPIC has explicitly addressed the issue of deepfakes and synthetic media technologies. When programs enable the creation of ‘deepfakes’ (described as ‘falsification of faces, images or voice messages’) of identifiable persons, such alterations must always be clearly recognisable unless completely prohibited under criminal law. This requirement aims to counter potential misuse of AI for creating misleading or deceptive content that could harm individuals or undermine trust.

Automated decision-making under Swiss law

Article 21 of the FADP specifically governs automated individual decisions, providing important protections for individuals subject to AI-driven decision processes. Under this provision, data controllers must inform individuals when they are subject to decisions based solely on automated processing that produces legal effects or significantly affects them. This requirement ensures transparency in AI decision-making processes.

High risk AI systems

AI-supported data processing involving high risks is permitted in principle under the FADP provided appropriate measures to protect the data subjects are taken. For this reason, the law requires a data protection impact assessment to be conducted in high-risk cases.

Future AI regulation in Switzerland

While existing data protection law provides immediate oversight of AI systems, Switzerland is actively developing more specific AI regulations.

Regulatory approach and principles

The Federal Council has outlined a three-pronged approach to future AI regulation:

  1. Sector-specific regulation where possible, with general cross-sectoral regulation limited to key areas relevant to fundamental rights, such as data protection.
  2. Development of non-legally binding measures to complement legislation, including self-disclosure agreements and industry solutions.
  3. Focus on three core objectives: reinforcing Switzerland as an innovation center, safeguarding fundamental rights (including economic freedom), and increasing public trust in AI.

Within the Plateforme Tripartite, Swiss policymakers are engaging with industry stakeholders, academia, and international partners to develop a balanced regulatory framework that addresses ethical considerations and societal impacts while fostering innovation.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top