What Swiss hosting providers should consider when dealing with edition orders.

Swiss hosting providers are increasingly confronted with requests from criminal authorities to hand over data relating to a specific customer relationship. In order not to expose themselves to a liability risk, they should pay attention to a few things when dealing with such injunctions, and in particular should not give out data lightly.

1. Swico Guide to inquiries from authorities

In order to make it easier for Swiss hosting providers to deal with inquiries from authorities and courts regarding customer activities, information and content, Swico – the Swiss trade association for the ICT and online industry – published a “Guide to Inquiries from Authorities” in 2020.

This guide contains various technology-oriented principles of conduct aimed at Swiss hosting providers, and also comments specifically on the handling of issuing orders by criminal authorities [1]. It has proven itself in practice and makes a significant contribution to improving legal certainty on the Internet.

2. General requirements for an edition order

If a hosting provider is faced with an edition order from a criminal authority, it should check the following:

1. Is the sender of the edition order a Swiss criminal authority?
2. Is there a written, signed and (at least briefly, with indication of the relevant criminal offence) reasoned edition order?
3. On what legal basis does the criminal authority request information?
4. Is the customer relationship in question sufficiently specified?
5. Are the information/documents etc. to be released sufficiently specified (e.g. publication of holder data concerning a specific customer or publication of specific content made accessible by a specific customer, etc.)?

3. If necessary, demand rectification by the criminal authority

If the hosting provider has to answer “no” to one or more of the above-mentioned questions, he should contact the requesting criminal authority and request an improvement of the edition order.

If there are doubts about the existence of the requesting criminal authority and/or the authenticity of the edition order, it is advisable to first research the authority concerned, contact it via a publicly published telephone number and verify the request with it.

As a matter of principle, Swiss hosting providers [2] should not comply with direct requests from foreign (criminal) authorities. Rather, providers should refer the authority concerned to international administrative or mutual legal assistance. Otherwise, they expose themselves or their decision-makers to the risk of criminal liability under Art. 271 SCC (prohibited act for a foreign state).

As far as the specificity of the edition order is concerned, the hosting provider must demand that it is formulated so precisely that it can isolate the data concerned beyond doubt and without its own interpretation and/or selection. In case of doubt, the hosting provider should also ask the requesting criminal authority for improvement. The same applies if the edition order proves to be ambiguous and, for example, incorrect technical terms are used. One might think here of an edition order, which is obviously about hosted content, but only refers to “data relating to the domain name xyz.ch”.

If hosting providers carelessly ignore the above-mentioned requirements and carelessly provide data to the requesting criminal authority, they run the risk of being liable for damages to their customers and/or affected third parties.

4. Die Modalitäten der Datenlieferung mit der Strafbehörde abstimmen

Erfüllt eine Editionsverfügung die vorstehend erwähnten Anforderungen, sollte der in Anspruch genommene Hosting-Anbieter die konkreten technischen Modalitäten der Datenlieferung mit der anfragenden Strafbehörde abstimmen.

Bei der Definition der technischen Modalitäten sollte der Hosting-Anbieter den aktuellen Stand der Technik, die Sensitivität und den Umfang der Daten berücksichtigen, um ein den Umständen entsprechendes Mass an Datensicherheit sicherzustellen.

Data that can be freely viewed from public sources (e.g. imprint) can generally be sent to criminal authorities by e-mail. In contrast, a hosting provider should make data that is not publicly accessible encrypted and available via access-protected access.

5. Observe any prohibition of notification

Editions issued by criminal authorities regularly contain a prohibition of communication, i.e. an instruction issued under penalty of punishment (Art. 292 SCC) in the event of infringement to maintain secrecy about the order as well as about related circumstances and not to take any action that could draw the accused’s attention or third parties to the ongoing criminal investigation. In order not to expose themselves or their decision-makers to the risk of criminal liability under Art. 292 SCC, hosting providers or their responsible bodies should strictly adhere to this prohibition and also ensure that all employees involved in the respective edition order are informed about the prohibition of notification.

If the hosting provider intends to dissolve the customer relationship concerned (e.g. because he suspects illegal content of the customer and he would be contractually entitled to termination without notice), the hosting provider should coordinate with the criminal authority before termination in order not to undermine the purpose of the notification prohibition (it would be conceivable that the customer concludes by a termination without notice on the part of the hosting provider, that criminal proceedings are underway against him, so that he could, for example, delete data and thus prevent effective criminal prosecution).

6. Sealing is not the panacea

Contrary to what the current reporting on the Berset/Lauener affair (see, for example, the article in the NZZ am Sonntag of 5 February 2023, p. 9) would suggest, sealing is not the panacea for hosting providers that they could and should use in response to edition orders.

Sealing is an instrument that can prevent or at least delay the knowledge and use of data by the criminal authorities. It serves to protect the secrecy of data subjects: the sealing is intended to prevent the criminal authorities from learning about secrets of which they should not have been aware. This is an immediate measure which unfolds its effects with mere assertion (i.e. with the application for sealing) and excludes any knowledge by the criminal authority. In order to still be able to use the data, the criminal authority must request the competent (unsealing) court to unseal the data concerned as part of separate proceedings.

The sealing is regulated in Art. 248 of the Swiss Code of Criminal Procedure (CrimPC). This provision has recently been revised (it is currently planned to enter into force on 1 January 2024; see also here). According to the currently still valid wording of Art. 248 sec. 1 CrimPC, “records and objects which, according to the information provided by the holder, may not be searched or confiscated because of a right to refuse to testify or to testify or for other reasons”, must be sealed. The application for sealing is not subject to any formal requirement. The inadmissibility of the search can only be made credible, but does not have to be proven. Based on Art. 248 para. 2 revStPO, criminal authorities will now be obliged to actively inform customers of hosting providers of the right to seal after receiving the requested data.

According to both current and revised law, however, the following applies: Sealing “for” third parties (such as customers) is not permitted by law. An application for sealing can only be made by those who assert their own interests in secrecy (see, for example, judgment BGer 1B_243/2021 of 20 December 2021, E. 3.6 [on the VStrR]; Judgment BGer 1B_210/2017 of 23 October 2017, E. 6.4 [on the VStrR]; BGer judgment 1B_562/2011 of 2 February 2012, E. 2).

Constellations in which a hosting provider, as the addressee of an edition order, is affected in its own confidentiality interests occur only very rarely in practice (for example, if the disclosure of data concerning a particular customer would be required, which also includes correspondence between the hosting provider and its legal representative).

7. The power of the Swiss criminal authorities

Whether it is appropriate for Swiss criminal authorities (as opposed to telephone surveillance, for example) to be able to access e-mails and other data without judicial authorisation by requesting hosting providers to hand them over is a question of legal policy.

From the point of view of the persons concerned, this may be unsatisfactory. Hosting providers as intermediaries can only change this power structure to a limited extent under applicable law by not complying with inadequate edition orders and requesting the requesting criminal authority to rectify the situation.

A restriction of the legal possibilities of the Swiss criminal authorities (e.g. introduction of a judicial authorisation requirement) or an expansion of the legal protection of the persons concerned could ultimately only be achieved by law.

For more information:

• Swico guidelines for inquiries from authorities regarding customer information and content of 15 April 2020;
• Federal Office of Justice (FOJ), “Amendment of the Code of Criminal Procedure” (last amendment 18 December 2020)

[1] The guideline for inquiries from authorities also comments on issuing orders in civil proceedings, on ordering telecommunications surveillance, on questioning/questioning natural persons and on the actions of authorities or authorised representatives instead of the customer. These case constellations are not part of this article.

[2] In exceptional cases, foreign authorities (based on Art. 32 lit. b of the Convention on Cybercrime) may address requests directly to Swiss hosting providers. However, the direct release of inventory and marginal data abroad outside the international administrative or mutual legal assistance channel is not legally enforceable. A voluntary direct surrender is only permitted if the customer concerned has contractually authorized the hosting provider to do so.

By Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.