On 1 January 2024, three partially revised implementing ordinances to the Swiss Federal Act on the Surveillance of Post and Telecommunications (SPTA) will enter into force. These provisions are related to 5G technology: the declared aim is to prevent gaps in surveillance by introducing new types of information and surveillance. This (first) revision package raises some fundamental questions. It is still largely unclear which providers are affected by the changes.
What It's About
The Swiss Federal Council at last divided the revision of surveillance law into two parts:
- First revision package: provisions for adapting three SPTA ordinances (VÜPF; VD-ÜPF and VVS-ÜPF) to 5G technology. These provisions will enter into force on 1 January 2024.
- Second revision package: new definition of those providers obliged to co-operate under surveillance law ("Affected Providers"). This part is still pending.
The Swiss trade association of the ICT and online industry (Swico) and the Swiss Social Democratic Party (SP) criticised this division of the revision into two parts during the consultation process. They argued that the current amendments would lay down obligations without specifying who would be subject to these obligations. However, their request to withdraw the first package of amendments and draw up a new proposal which also includes the second package was not honoured.
The aim of the first revision package is to guarantee the Swiss Post and Telecommunications Surveillance Service ("Surveillance Service") a consistent level of surveillance of postal and telecommunications traffic. To this end, additional types of information and surveillance will be introduced. Specifically, the revision package includes
- three new types of information to query identifiers (such as addressing elements, device numbers, subscriber numbers) of the 5G technology and to enable identification in the case of spoofed telephone numbers or callers with an unknown telephone number;
- four new types of surveillance to determine the exact position of a mobile device in the mobile network (previously only the approximate position could be determined, e.g. in an emergency search for a missing person or in real-time surveillance).
For the most important changes in this first revision package, see also our article "Modernisation of Surveillance Law at Ordinance Level (Part 1)" of 18 February 2022.
The Criticism Voiced During the Consultation
The consultation on the first revision package lasted from 16 February to 23 May 2022. 70 consultation responses were received by the Swiss Federal Department of Justice and Police (FDJP) or, respectively, the Surveillance Service. While the cantons and criminal authorities welcomed the bill in principle, telecommunications providers and other affected providers as well as industry associations criticised it harshly in some cases.
It was criticised that not only provisions relating to 5G technology are being amended, but also others which lead to an expansion of general surveillance, to more work for the Affected Providers and to a reduction in user privacy. Criticism was levelled in particular at the amount of compensation paid to the providers, the data required to identify participants, the automated provision of information, positioning and shorter processing times.
The FDJP ultimately only took part of this criticism into account.
What Changed as a Result of the Consultation – and What Did Not
The following points raised during the consultation were incorporated into the final law:
- Adaptation or deletion of various provisions in order to appropriately balance the relationship between the additional work for the Affected Providers (in particular system adjustments) and the benefits for the criminal authorities (proportionality of the changes);
- Moving some provisions to the second revision package, such as the obligation to provide the destination addressing elements (destination port numbers and destination IP addresses);
- Deletion of the provision which was intended to oblige the providers of derived communication services (PDCS) with further obligations to remove any encryption applied;
- Extension of the transitional periods for the system adjustments on the part of the Affected Providers from 12 to 24 months from the entry into force of the VÜPF;
- Reduction of the fees for the new monitoring types of positioning and the total fee for the information type in connection with an IMSI catcher deployment (e.g. for emergency searches);
- Clarification that PDCS with further obligations are not affected by the new types of information and surveillance and therefore have no corresponding obligations;
- Obligation to provide information automatically limited to those providers who already provide information automatically today;
- Restriction of the provision regarding positioning to 5G technology and extension of the implementation period from 12 or 18 to 24 months.
The following points raised during the consultation were not taken into account:
- technology-neutral wording in the ordinances: According to the FDJP, the overall concept of the VÜPF would be disrupted if only individual provisions were formulated in a technology-neutral manner (the corresponding requirement could only be implemented as part of a total revision of the VÜPF);
- Extension of the processing deadlines for responding to certain types of information: The FDJP considers the deadlines provided for in the VD-ÜPF (e.g. six-hour deadline for providers subject to on-call duty) to be appropriate, especially as a late response could have devastating consequences in certain cases (e.g. anonymous bomb threats);
- Adjustment of the compensation of the Affected Providers: The FDJP considers a compensation of three Swiss francs for all simple information with reference to Swiss Federal Supreme Court's judgment 2C_650/2020 of 27 July 2021 to be appropriate.
Assessment and Way Forward
The request of criminal authorities to keep pace with new technological developments such as 5G technology is understandable.
However, from a legislative point of view, it is not convincing to initially lay down obligations without defining who is specifically subject to these obligations. If the group of affected parties is not sufficiently specified, one cannot assume a legally sufficient consultation. It remains largely unclear who is specifically affected by the individual changes, until the Affected Providers are redefined in the second revision package.
The new provisions impose numerous new obligations on the Affected Providers and, in return, provide the criminal authorities with new means. It is questionable whether the actual aim of the revision – to adapt the ordinances to 5G technology – has been achieved or whether it has been overstepped. The introduction of new obligations by way of ordinances also raises fundamental rights issues.
The higher density of information to be provided according to the revised ordinances and the resources to be created for this, will undoubtedly lead to additional expenditure on the part of the Affected Providers. However, the FDJP did not honour the justified request for higher compensation. This is not understandable, as it is ultimately nothing more than assistance from private providers in the performance of government tasks (see also postulate no. 19.4031 by National Councillor Albert Vitali/Marcel Dobler of 16 September 2019 and the report of the Swiss Federal Council of 18 October 2023 based on this). Between 2019 and 2022, the number of enquiries more than doubled according to the relevant statistics of the Surveillance Service (https://www.li.admin.ch/de/stats). It can be assumed that this trend will continue and that the complexity of the cases will also continue to increase.
It is positive that some controversial provisions have been moved to the second revision package. This means that the new obligations can be introduced at the same time as the definition of the Affected Providers. The clarification of the wording of individual provisions of the ordinances and the extension of the transitional period are also to be welcomed.
Companies which qualify as providers of telecommunications services or derived communications services under current law should familiarise themselves with the changes to surveillance law and follow further developments in connection with the second revision package.
For reasons of legal certainty, it would be desirable to have clarity on the Affected Providers as soon as possible.
Further information:
- Report of the FDJP of 15 November 2023 on the results of the consultation on the revision package of ordinances to the SPTA (Part 1, German);
- Ordinance on the Surveillance of Post and Telecommunications (VÜPF), amendment of 15 November 2023 (German);
- Ordinance of the FDJP on the Execution of Surveillance of Post and Telecommunication (VD-ÜPF), amendment of 15 November 2023 (German);
- Ordinance on the Processing System for the Surveillance of Post and Telecommunications (VVS-ÜPF), amendment of 15 November 2023 (German) (incl. Annex 1 and Annex 2);
- Explanatory notes of the FDJP of 15 November 2023 on the revision package of ordinances to the SPTA (Part 1, German);
- Report of the Swiss Federal Council of 18 October 2023 "For a proportionate federal law on the surveillance of post and telecommunications" (German);
- Postulate no. 19.4031 of National Councillor Albert Vitali/Marcel Dobler of 16 September 2019 (German);
- Consultation documents on the revision package of ordinances to the SPTA (Part 1, German);
- Explanatory report of the Swiss Federal Council of 16 February 2022 (German);
- Dispatch of the Swiss Federal Council of 27 February 2013 on the SPTA (German);
- Dispatch of the Swiss Federal Council of 6 September 2017 on the TCA revision (German);
- Leaflet of the Surveillance Service on the demarcation TSP and PDCS of 16 April 2019 (German);
- OFCOM guidelines on registration as TSP of 18 March 2021 (German)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.