Strong privacy law, banking tradition of secrecy — but the US broke Swiss banking confidentiality in 2014, and Swiss companies cooperate with American requests.
Switzerland's revised Federal Act on Data Protection (nDSG, effective September 2023) aligns closely with GDPR and gives residents strong rights — but Switzerland is not in the EU, cooperates closely with US authorities, and its banking secrecy has been significantly eroded.
The nDSG applies to all processing of Swiss residents' data. Key rights: information, access, deletion, data portability. Criminal penalties (up to CHF 250,000 for individuals) for intentional violations — unusual compared to GDPR's corporate fines. The Federal Data Protection and Information Commissioner (FDPIC) oversees enforcement. Switzerland has an adequacy decision from the EU, meaning data flows freely between Switzerland and the EU.
Switzerland was once synonymous with financial secrecy. This ended in 2014 when the US Department of Justice forced Swiss banks to hand over American account holders' data under threat of criminal prosecution. Credit Suisse paid $2.6B in fines. UBS paid $780M. Since 2018, Switzerland automatically exchanges financial data with 100+ countries under the OECD Common Reporting Standard. The secrecy that made Switzerland attractive for privacy is largely gone for financial data.
Switzerland participates in mutual legal assistance treaties (MLAT) with the US. Swiss companies like Proton (ProtonMail, ProtonVPN) comply with Swiss court orders — and Swiss courts can be compelled to assist US investigations via MLAT. In 2021, Proton provided French authorities with the IP address of a French climate activist, pursuant to a Swiss court order initiated by French police via Europol. This demonstrated that 'Swiss privacy' has limits when foreign governments use proper legal channels.
Switzerland hosts Proton (email, VPN, drive), Tresorit (cloud storage), Wire (messaging), and Threema (messaging). These companies chose Switzerland for its reputation. The protection is real — Swiss law prevents mass surveillance and requires judicial oversight. But it's not absolute: court orders work, MLATs work, and the FDPIC can compel cooperation. The advantage over the US is judicial oversight and the absence of mass surveillance programmes like PRISM. The advantage over the EU is independence from GDPR's one-stop-shop problems.