-
- Art. 3 FC
- Art. 5a FC
- Art. 6 FC
- Art. 10 FC
- Art. 13 FC
- Art. 16 FC
- Art. 17 FC
- Art. 20 FC
- Art. 22 FC
- Art. 29a FC
- Art. 30 FC
- Art. 32 FC
- Art. 42 FC
- Art. 43 FC
- Art. 43a FC
- Art. 55 FC
- Art. 56 FC
- Art. 60 FC
- Art. 68 FC
- Art. 75b FC
- Art. 77 FC
- Art. 96 para. 2 lit. a FC
- Art. 110 FC
- Art. 117a FC
- Art. 118 FC
- Art. 123a FC
- Art. 123b FC
- Art. 136 FC
- Art. 166 FC
-
- Art. 11 CO
- Art. 12 CO
- Art. 50 CO
- Art. 51 CO
- Art. 84 CO
- Art. 97 CO
- Art. 98 CO
- Art. 99 CO
- Art. 100 CO
- Art. 143 CO
- Art. 144 CO
- Art. 145 CO
- Art. 146 CO
- Art. 147 CO
- Art. 148 CO
- Art. 149 CO
- Art. 150 CO
- Art. 701 CO
- Art. 715 CO
- Art. 715a CO
- Art. 734f CO
- Art. 785 CO
- Art. 786 CO
- Art. 787 CO
- Art. 788 CO
- Art. 808c CO
- Transitional provisions to the revision of the Stock Corporation Act of June 19, 2020
-
- Art. 2 PRA
- Art. 3 PRA
- Art. 4 PRA
- Art. 6 PRA
- Art. 10 PRA
- Art. 10a PRA
- Art. 11 PRA
- Art. 12 PRA
- Art. 13 PRA
- Art. 14 PRA
- Art. 15 PRA
- Art. 16 PRA
- Art. 17 PRA
- Art. 19 PRA
- Art. 20 PRA
- Art. 21 PRA
- Art. 22 PRA
- Art. 23 PRA
- Art. 24 PRA
- Art. 25 PRA
- Art. 26 PRA
- Art. 27 PRA
- Art. 29 PRA
- Art. 30 PRA
- Art. 31 PRA
- Art. 32 PRA
- Art. 32a PRA
- Art. 33 PRA
- Art. 34 PRA
- Art. 35 PRA
- Art. 36 PRA
- Art. 37 PRA
- Art. 38 PRA
- Art. 39 PRA
- Art. 40 PRA
- Art. 41 PRA
- Art. 42 PRA
- Art. 43 PRA
- Art. 44 PRA
- Art. 45 PRA
- Art. 46 PRA
- Art. 47 PRA
- Art. 48 PRA
- Art. 49 PRA
- Art. 50 PRA
- Art. 51 PRA
- Art. 52 PRA
- Art. 53 PRA
- Art. 54 PRA
- Art. 55 PRA
- Art. 56 PRA
- Art. 57 PRA
- Art. 58 PRA
- Art. 59a PRA
- Art. 59b PRA
- Art. 59c PRA
- Art. 62 PRA
- Art. 63 PRA
- Art. 67 PRA
- Art. 67a PRA
- Art. 67b PRA
- Art. 73 PRA
- Art. 73a PRA
- Art. 75 PRA
- Art. 75a PRA
- Art. 76 PRA
- Art. 76a PRA
- Art. 90 PRA
-
- Vorb. zu Art. 1 FADP
- Art. 1 FADP
- Art. 2 FADP
- Art. 3 FADP
- Art. 5 lit. d FADP
- Art. 5 lit. f und g FADP
- Art. 6 para. 3-5 FADP
- Art. 6 Abs. 6 and 7 FADP
- Art. 7 FADP
- Art. 10 FADP
- Art. 11 FADP
- Art. 12 FADP
- Art. 14 FADP
- Art. 15 FADP
- Art. 19 FADP
- Art. 20 FADP
- Art. 22 FADP
- Art. 23 FADP
- Art. 25 FADP
- Art. 26 FADP
- Art. 27 FADP
- Art. 31 para. 2 lit. e FADP
- Art. 33 FADP
- Art. 34 FADP
- Art. 35 FADP
- Art. 38 FADP
- Art. 39 FADP
- Art. 40 FADP
- Art. 41 FADP
- Art. 42 FADP
- Art. 43 FADP
- Art. 44 FADP
- Art. 44a FADP
- Art. 45 FADP
- Art. 46 FADP
- Art. 47 FADP
- Art. 47a FADP
- Art. 48 FADP
- Art. 49 FADP
- Art. 50 FADP
- Art. 51 FADP
- Art. 54 FADP
- Art. 57 FADP
- Art. 58 FADP
- Art. 60 FADP
- Art. 61 FADP
- Art. 62 FADP
- Art. 63 FADP
- Art. 64 FADP
- Art. 65 FADP
- Art. 66 FADP
- Art. 67 FADP
- Art. 69 FADP
- Art. 72 FADP
- Art. 72a FADP
-
- Art. 2 CCC (Convention on Cybercrime)
- Art. 3 CCC (Convention on Cybercrime)
- Art. 4 CCC (Convention on Cybercrime)
- Art. 5 CCC (Convention on Cybercrime)
- Art. 6 CCC (Convention on Cybercrime)
- Art. 7 CCC (Convention on Cybercrime)
- Art. 8 CCC (Convention on Cybercrime)
- Art. 9 CCC (Convention on Cybercrime)
- Art. 11 CCC (Convention on Cybercrime)
- Art. 12 CCC (Convention on Cybercrime)
- Art. 18 CCC (Convention on Cybercrime)
- Art. 25 CCC (Convention on Cybercrime)
- Art. 27 CCC (Convention on Cybercrime)
- Art. 28 CCC (Convention on Cybercrime)
- Art. 29 CCC (Convention on Cybercrime)
- Art. 32 CCC (Convention on Cybercrime)
- Art. 33 CCC (Convention on Cybercrime)
- Art. 34 CCC (Convention on Cybercrime)
-
- Art. 2 para. 1 AMLA
- Art. 2a para. 1-2 and 4-5 AMLA
- Art. 3 AMLA
- Art. 7 AMLA
- Art. 7a AMLA
- Art. 8 AMLA
- Art. 8a AMLA
- Art. 14 AMLA
- Art. 15 AMLA
- Art. 20 AMLA
- Art. 23 AMLA
- Art. 24 AMLA
- Art. 24a AMLA
- Art. 25 AMLA
- Art. 26 AMLA
- Art. 26a AMLA
- Art. 27 AMLA
- Art. 28 AMLA
- Art. 29 AMLA
- Art. 29b AMLA
- Art. 30 AMLA
- Art. 31 AMLA
- Art. 31a AMLA
- Art. 32 AMLA
- Art. 38 AMLA
FEDERAL CONSTITUTION
MEDICAL DEVICES ORDINANCE
CODE OF OBLIGATIONS
FEDERAL LAW ON PRIVATE INTERNATIONAL LAW
LUGANO CONVENTION
CODE OF CRIMINAL PROCEDURE
CIVIL PROCEDURE CODE
FEDERAL ACT ON POLITICAL RIGHTS
CIVIL CODE
FEDERAL ACT ON CARTELS AND OTHER RESTRAINTS OF COMPETITION
FEDERAL ACT ON INTERNATIONAL MUTUAL ASSISTANCE IN CRIMINAL MATTERS
DEBT ENFORCEMENT AND BANKRUPTCY ACT
FEDERAL ACT ON DATA PROTECTION
SWISS CRIMINAL CODE
CYBERCRIME CONVENTION
COMMERCIAL REGISTER ORDINANCE
FEDERAL ACT ON COMBATING MONEY LAUNDERING AND TERRORIST FINANCING
- I. General
- II. Order to disclose computer data (para. 1 lit. a)
- III. Order to disclose inventory data from providers (para. 1 lit. b)
- IV. Reference to Art. 14–15 CCC (para. 2)
- V. Definition of inventory data (para. 3)
- VI. Requirements for permissible data collection under Swiss criminal procedure law
- Bibliography
- Materialis
I. General
1 In Section 2 (“Procedural law”) of Chapter 2 (“Measures to be taken domestically”), Article 18 CCC, under Title 3 (“Ordering disclosure”), deals with the disclosure of data by the competent criminal authorities. A distinction is made between two scenarios: on the one hand, the disclosure of computer data by a person located in the territory of the Contracting State concerned (para. 1 lit. a), and on the other hand, the disclosure of inventory data by service providers offering their services in the Contracting State (para. 1 lit. b). Since the latter are not based in the contracting state concerned and the inventory data does not have to be stored there, Art. 18 CCC contains an extraterritorial element (see n. 9 f.).
2 Issuing an order to disclose data is the lesser measure compared to coercive measures, which interfere more profoundly with the rights of the persons concerned (who are often not themselves accused). In accordance with the principle of proportionality, the possibility of an order to disclose data must always be examined before resorting to more far-reaching coercive measures (such as a house search) (see also Art. 265 para. 4 CrimPC). An important consideration in this balancing of interests is the risk of collusion and loss of evidence if the data is not immediately secured by members of the law enforcement authorities.
3 In terms of content, Art. 18 CCC is limited to the disclosure of specifically identified or identifiable, existing or stored data in the context of criminal proceedings. This does not necessarily have to be a cybercrime within the meaning of Articles 2–11 CCC or another crime committed using a computer system; it is sufficient that the evidence available in electronic form is intended to prove any crime (Article 14 para. 2 CCC). This also means that the requested evidence must at least be potentially relevant, i.e., it must be of significance for the criminal investigation or must not appear to be obviously unsuitable, which already follows from the generally applicable principle of proportionality (requirement of an “appropriate” state measure).
4 Based on the wording of the Convention (“each Party shall take the necessary legislative or other measures to empower its competent authorities”; similarly Art. 14 para. 1 CCC), Art. 18 CCC is not a “self-executing” norm that becomes directly applicable upon ratification of the Convention. Rather, it establishes an obligation under international law to adopt corresponding domestic provisions. Unlike Art. 32 CCC, Art. 18 CCC cannot therefore be directly invoked as a basis for criminal proceedings.
5 However, the Federal Council stated in its message that Swiss law already complies with the requirements of Art. 18 CCC. In this respect, both the wording of Art. 18 CCC and the related materials – in particular the Explanatory Report on the CCC and Guidance Note # 10 of the Cybercrime Convention Committee (“T-CY”) of the Council of Europe – can be used as interpretative aids for the application of domestic provisions, primarily Art. 265 CrimPC. In Switzerland, it is also a general principle that standards must be interpreted in accordance with the convention as far as possible.
6 Art. 18 CCC does not specify how the measures are to be implemented in the respective domestic law; rather, it merely outlines the minimum content of the national enabling provisions and leaves it to the individual contracting states to integrate the convention requirements into their systems of evidence-gathering measures. Art. 18 para. 2 CCC refers to the further minimum guarantees of Art. 14–15 CCC, which must also be observed in this context.
7 Nor does Art. 18 CCC regulate whether and, if so, to what extent data must be stored, nor does it specify retention periods. In particular, it does not contain any obligation for providers to keep records of their subscribers, to ensure that these are accurate, to verify the identity of users or to prevent the use of pseudonyms. Such obligations may arise from domestic regulations at the level of law or ordinance.
II. Order to disclose computer data (para. 1 lit. a)
8 In substantive terms, the request for disclosure may extend to “computer data” defined in Art. 1 lit. b CCC as “any representation of facts, information, or concepts in a form suitable for processing in a computer system, including a program that can trigger the execution of a function by a computer system.” This term includes all types of data, in particular inventory, connection, and content data (see n. 24 ff.). Art. 18 CCC merely requires that the data in question may be requested, without commenting on jurisdiction or specific domestic procedures. For this reason, it is, for example, entirely compatible with Art. 18 and Art. 15 CCC that the disclosure of connection data under Swiss law is subject to stricter requirements than the disclosure of inventory or content data and that the approval of the coercive measures court must also be obtained (see n. 27 f.).
9 In personal terms, Art. 18 para. 1 lit. a CCC applies, according to its express wording, to all legal and natural persons who, at the time of the order, have their seat, domicile or even only their temporary residence in the contracting state. The internal relationship required under sovereignty law is defined here – in contrast to Art. 32 CCC, is not defined by the location where the data is stored, but is linked to the person in whose possession or under whose control the data to be collected is located. Art. 18 para. 1 lit. a CCC also covers providers based in Switzerland; not only inventory data (cf. Art. 18 para. 1 lit. b CCC) but also content and connection data can be made available from them.
10 The location where the data is stored is irrelevant in this context. Accordingly, data stored abroad may also be edited if it is “in the possession or under the control” of a domestic person (“computer data in that person's possession or control”). Art. 18 para. 1 lit. a CCC therefore allows, like Art. 32 CCC, a form of extraterritorial evidence gathering. This is in line with the Federal Supreme Court's case law on Art. 18 CCC and Art. 265 CrimPC, according to which these provisions allow the disclosure of all data to which the addressee of the order has access or is permitted to have access (“avoir un pouvoir de disposition, en fait et en droit, sur ces données”).
11 The pair of terms “possession or control” refers, on the one hand, to the physical possession of the data in question within the territory of the issuing Contracting State (data sovereignty) and, on the other hand, to situations in which the data of interest is not in the custody of the addressee of the disclosure order but the latter has free control over its disclosure (right of disposal). This includes, for example, a person who has stored data with a third-party provider, such as in a cloud—in this case, the third-party provider is in possession of the data and the user is in control of it, and both can be held liable as addressees of the order. Ownership and control may differ in this respect. However, according to the Explanatory Report, it is not sufficient to merely have the technical ability to access remotely stored data; rather, the data must be under the legitimate control of the addressee of the disclosure. “Control” thus cumulatively requires both the possibility of access and the authorization to access this data. This must be clarified in detail. The addressee must cooperate in providing evidence if it claims that it lacks control or access to the requested information.
12 In group structures, it cannot be assumed without further ado that a subsidiary can access data belonging to its parent company or sister companies. Conversely, parent companies within a group are often likely to have either de facto or de jure control over the data within the group due to their position. If data remains with national subsidiaries for regulatory or data protection reasons and the parent company demonstrably lacks access to it, the data can only be requested from the national subsidiary. If internal or external storage or archiving solutions or data centers are used, the right of control remains with the outsourcing party, while the storing company “owns” the data because it is within its sphere of control. Therefore, subsidiaries or partner companies of foreign providers based in Switzerland that store data in Switzerland (e.g., in server farms) are also subject to a disclosure obligation.
13 The decisive factor is the actual or legal ability to access the data at the time of the order. Restricting access after receiving a request would not only be an abuse of rights, but could also constitute a criminal offense (see Art. 305 SCC [aiding and abetting]) depending on the legal situation in the contracting states.
14 As seen (n. 9 f.), Art. 18 para. 1 lit. a CCC does not directly refer to the location where data is stored. However, a domestic disclosure order may cover data stored in Switzerland regardless of whether the persons entitled to the data are located abroad (e.g., if a person residing abroad stores data in Switzerland or operates a data center). If only the data is located in Switzerland, but not the persons entitled to the data, the only question that arises is how the disclosure request can be transmitted to the person residing abroad – an issue that also arises under lit. b (see n. 20 f.).
III. Order to disclose inventory data from providers (para. 1 lit. b)
15 Art. 18 para. 1 lit. b CCC refers to the disclosure of inventory data by service providers within the meaning of Art. 1 lit. c CCC who offer their services in the territory of the contracting state. The article is thus both narrower and broader than lit. a in that it is limited to service providers and the submission of inventory data (“subscriber information”) – e.g., the identity of the customer or details of payment transactions (see n. 24 ff.) – but also covers not only Swiss but also foreign providers (see n. 17 f.). The necessary domestic connection to Switzerland is understood here, similar to the concept under antitrust law, in the sense of the effect principle, which is why foreign service providers are also covered if they are active on the Swiss market. The prerequisite here is also that the data is in the possession or under the control of the addressee of the order (see n. 11 ff.).
16 In contrast to Art. 32 CCC, which is based on voluntary compliance and requires, among other things, authorization in the general terms and conditions or similar for legally compliant data delivery by providers, a request for disclosure is binding and must be implemented by the addressed service providers if it complies with the domestic requirements of the contracting state in which the services are offered and which issued the order. Facilitated and more efficient access to inventory data appears appropriate, as 80–90% of the data required internationally is inventory data; Art. 18 para. 1 lit. b CCC thus contributes to relieving the burden on the international mutual assistance system.
17 On the question of when a service is “offered” in a contracting state, there is already case law in European states in other contexts: it is necessary that the activities of the service provider are directed at users in that state, i.e., the service provider intends that users in that state use its services. The mere accessibility of a website or the possibility of logging in from another country is not sufficient for this purpose. Indications that a service is being “offered” include the use of languages or currencies other than those customary in the country of establishment, the use of top-level domains or a telephone area code of a country. For example, the highest Belgian court ruled that Yahoo! Inc. could be compelled to disclose inventory data under threat of criminal penalties because Yahoo! Inc. actively participated in Belgian economic life as a provider of a free webmail service. This was evident, among other things, from the use of the domain “www.yahoo.be,” the use of the national language, the placement of advertisements based on the location of users, and the establishment of a complaint form and an FAQ section for Belgian users. Finally, the new Art. 3 no. 4 of Regulation (EU) 2023/1543 on European production orders and European preservation orders for electronic evidence in criminal proceedings and for the enforcement of custodial sentences following criminal proceedings of July 12, 2023 (“e-Evidence Regulation”) requires that the criterion of “providing services in the EU” be met cumulatively by (a) the creation of a possibility for natural or legal persons in a Member State to use the services, and (b) a substantial connection with that Member State, which is deemed to exist, for example, if the service provider has a registered office or a branch in that Member State. cumulatively (a) the creation of a possibility for natural or legal persons in a Member State to use the services, and (b) a substantial connection to that Member State, which is deemed to exist, for example, if the service provider has an establishment or a significant number of users in that Member State or if its activities are directed toward that Member State. Such criteria can also be applied to Art. 18 CCC.
18 If foreign providers are active with a service in the market of a contracting state, they are obliged to disclose the inventory data relating to the users of that specific service in the respective contracting state. This is the case, for example, if someone registers via the service provider's “.ch” address, has indicated Switzerland as their place of residence or registered office, or has used a Swiss IP address at the time of registration or at a later date.
19 Within the Council of Europe bodies, too, the prevailing view is that domestic providers may be required to disclose inventory data stored on a data processing system abroad (provided that it is under their control, see also n. 11 ff.) and that orders may be addressed directly to a foreign provider. Both are also in line with the wording of Art. 18 CCC.
20 The Federal Supreme Court has also already dealt with these two questions and issued a differentiated ruling: In a judgment of November 16, 2016, it held that Art. 18 CCC and Art. 265 CrimPC permit the disclosure of all data provided that the addressee of the order has factual and legal access to it (“avoir un pouvoir de disposition, en fait et en droit, sur ces données”), including data stored abroad. In a ruling dated January 14, 2015, however, it stated that, on the basis of Art. 18 CCC, a foreign provider cannot be approached directly by means of a disclosure order, even if it offers its services in Switzerland – Art. 32 CCC therefore conclusively regulates direct cross-border access, and Art. 25 para. 4 sentence 1 CCC stipulates that international legal assistance must follow the usual instruments unless a different provision is “expressly” provided for in the CCC. At least the Federal Supreme Court stated that subsidiaries or partner companies of foreign providers based in Switzerland that store data in Switzerland (such as server farms) are subject to Swiss law. However, it did not address the wording of Art. 18 CCC, the Explanatory Report, or the message, according to which the legislature specifically assumed that domestic law complies with the requirements of Art. 18 CCC. It is not the task of the Federal Supreme Court to override the clear intention of the legislature. Furthermore, there is no apparent violation of sovereignty when services are offered in Switzerland, as in this case there is a sufficient internal connection to Switzerland. A restriction to service providers based in Switzerland would also render Art. 18 para. 1 lit. b CCC obsolete, as providers based in Switzerland are already covered by Art. 18 para. 1 lit. a CCC (see n. 9) and are therefore required to disclose not only inventory data but also content and connection data. Therefore, on balance, Art. 18 para. 1 lit. b CCC can also be used as a basis for the current practice in Switzerland, which is primarily based on Art. 32 CCC, according to which law enforcement authorities address direct requests to foreign providers (“information requests”). This also applies in reverse – Swiss providers offering their services in foreign markets may be requested directly by those authorities to disclose data, and since they are generally subject to a disclosure obligation, they are not liable to prosecution under Art. 271 SCC (“Prohibited acts for a foreign state”) if they disclose the data.
21 With regard to the delivery of disclosure orders, larger providers make so-called “law enforcement portals” available, through which Swiss law enforcement authorities can also register and submit their requests directly. In the case of smaller service providers, requests for disclosure can be sent via the police (via Interpol) or, if accepted, directly (e.g. by email). Art. 18 para. 1 lit. b CCC allows the formal mutual assistance procedure to be waived and permits the contracting states to serve such disclosure orders directly on providers in other contracting states. This is permissible and appropriate, as the requirement for service of the disclosure order by mutual legal assistance would negate the simplifications that Art. 18 para. 1 lit b CCC is specifically intended to enable. Only direct service ensures that the criminal prosecution authorities can access the necessary inventory data efficiently and quickly without having to go through the often lengthy and bureaucratic mutual legal assistance procedure. The fact remains, however, that the lack of cooperation cannot be enforced directly, but only through the formal mutual legal assistance procedure by means of coercive measures going beyond Art. 18 CCC.
22 Since the request for disclosure is a domestic measure of evidence, it is not the law of the contracting state in which the provider is based that is decisive, but the law of the contracting state in which the provider offers its services.
IV. Reference to Art. 14–15 CCC (para. 2)
23 States may, within the framework of Art. 15 CCC, lay down conditions and safeguards and exclude data from the scope of Art. 18 CCC. For example, it is justified to restrict the disclosure of connection data to certain offenses and to require that authorization be obtained from the coercive measures court (Art. 273 CrimPC). Furthermore, it is permissible to link disclosure orders to prohibitions on disclosure, as implemented in Swiss law (Art. 73 para. 2 CrimPC).
V. Definition of inventory data (para. 3)
24 Inventory data includes all information – other than connection or content data – stored by a service provider in connection with a user or subscriber of its services. The main purpose of requesting inventory data is to determine the identity of the subscriber or user and to identify the services used by the user. In addition, commercial information such as billing and payment data may also be relevant, particularly in connection with cyber fraud and other property offences.
25 According to Art. 18 para. 3 CCC, inventory data includes all information relating to (a) the type of communication service used, the technical measures taken for this purpose and the duration of the service; (b) the identity of the subscriber, their postal or home address, telephone and other access numbers, and billing and payment details available on the basis of the contract or agreement relating to the service; and (c) other information about the location of the communication equipment available on the basis of the contract or agreement relating to the service. In Switzerland, the information that may be disclosed pursuant to Art. 22 para. 1 BÜPF is specified in Articles 36–38 of the Ordinance on the Surveillance of Postal and Telecommunications Traffic of November 15, 2017 (“VÜPF,” SR 780.11). In particular, inventory data includes addressing elements such as the assignment of names, telephone numbers, and addresses of users to a known IP address, as well as original contracts and copies of identification documents presented when the contract was concluded, and technical information relating to telecommunications.
26 Inventory data must be distinguished from content data, which comprises the content of communications or stored files, and from connection or traffic data, which is generated in connection with a communication and reveals the origin, destination, route, time, date, scope, or duration of the communication (Art. 1 lit. d CCC). The Federal Supreme Court differentiates between inventory data and peripheral data based on the criterion of whether the law enforcement authorities already know an Internet connection or an e-mail address that only needs to be assigned to a specific person; if so, it is a query of inventory data. If, on the other hand, the law enforcement authorities are only aware of criminal Internet communication activities and the assigned IP addresses and registered customers are to be determined from the connection peripheral data of the communication in question, this constitutes a (permit-requiring) retroactive collection of peripheral data within the meaning of Art. 273 CrimPC. According to case law, this should also apply across the board to requests for the disclosure of IP history. The distinction must be made according to whether it is a question of who communicated with whom and when (connection data within the meaning of Art. 273 CrimPC) or rather who used a specific service at a known point in time (inventory data within the meaning of Art. 22 para. 1 BÜPF). Registration IP addresses for an already known account must therefore be clearly regarded as inventory data and not as traffic data, as they serve exclusively to identify a participant and have no connection to subsequent communication via the account. Other “access data” (e.g., the IP history of logins to a service not intended for communication, such as logging into a crypto wallet or a cloud) cannot correctly be considered connection metadata either. This data does not directly or indirectly concern communication between people and its surveillance. In such cases, IP addresses are more comparable to traces left at the scene of a crime, similar to a fingerprint or DNA, and do not constitute connection data in the context of human communication, but rather inventory data. The Federal Supreme Court's ruling on the classification of IP histories as traffic data within the meaning of Art. 273 CrimPC is insufficiently differentiated in this respect.
VI. Requirements for permissible data collection under Swiss criminal procedure law
27 For inventory data within the meaning of Art. 18 para. 3 CCC – i.e. in particular (also retroactive) information about who is or was registered as the owner or billing addressee of the connection with service providers subject to Swiss law (see n. 24 ff.) – a simple query pursuant to Art. 22 para. 1 BÜPF may be submitted to the service provider responsible for monitoring postal and telecommunications traffic (ÜPF service). Such information may also be obtained through disclosure (Art. 265 CrimPC), in particular if the foreign provider offering its services within the meaning of Art. 18 para. 1 lit. b CCC in Switzerland is not subject to the BÜPF. The request for information via the PTPS is merely a procedural requirement; neither the CrimPC nor the PTPA or the associated ordinance stipulate that information not communicated via the PTPS is inadmissible. A request for inventory data requires a suspicion that a criminal offense (felony, misdemeanor, or violation) has been committed via the Internet (Art. 22 para. 1 BÜPF), that the information requested is potentially relevant to the investigation or admissible as evidence, and that the measure is proportionate. No ordinary legal remedy is available against a request for inventory data; in particular, sealing (Art. 248 CrimPC) is not applicable, as it is not apparent from the outset to what extent the requested inventory data could be subject to a prohibition of seizure under Art. 264 CrimPC. Providers are subject to a duty to provide information; if they refuse to do so, an administrative fine or a fine pursuant to Art. 292 SCC may be imposed (provided they have been informed of this in advance), or coercive measures may be taken (analogous to Art. 265 para. 3 and 4 CrimPC). For foreign providers offering their services in Switzerland, the threat of criminal penalties under Art. 292 SCC should also be permissible, but coercive measures to enforce the request for inventory data would have to be requested from the relevant state through mutual legal assistance.
28 For content and connection data, both of which may be requested under Art. 18 para. 1 lit. a CrimPC, a distinction must then be made: Content data that may be relevant for evidentiary purposes must be disclosed under Art. 265 CrimPC if it is stored (“in storage”) at the time of the order and is not still in transit (“in traffic”). Relevant in practice are, for example, content data from webmail operators, such as the email account of an “@bluewin.ch” address at Swisscom. The prerequisites for the disclosure of content data are sufficient suspicion of any criminal offense, the potential evidential value or relevance of the disclosed records for the criminal proceedings, and compliance with the principle of proportionality. The disclosure order may be linked to a prohibition of disclosure pursuant to Art. 73 para. 2 CrimPC, which means that the account holder may not be notified by the service provider until further notice. The owners and other authorized persons may appeal against disclosure orders by applying for sealing (Art. 248 CrimPC), at least insofar as they can assert their own interests in confidentiality. Although the provider is formally entitled to request sealing, it cannot do so on behalf of its customers and is unlikely to be able to invoke its own prohibition of seizure under Art. 264 CrimPC. For connection or marginal data (see n. 26), the public prosecutor's office must not issue a disclosure order, but rather an order pursuant to Art. 273 CrimPC, which is subject to stricter requirements: (1) There must be urgent suspicion of a crime or offense; (2) the seriousness of the offense must justify the surveillance; (3) the investigative measures taken to date must have been unsuccessful or the investigation would otherwise be futile or disproportionately difficult (Art. 273 para. 1 in conjunction with Art. 269 para. 1 CrimPC). The order must also be approved by the coercive measures court (Art. 274 CrimPC), otherwise the evidence obtained is absolutely inadmissible (Art. 277 para. 2 CrimPC). The approval of the coercive measures court may be challenged by the person under surveillance, or, where applicable, by the provider, by means of an appeal under Art. 393 ff. CrimPC (Art. 279 para. 3 CrimPC).
Bibliography
Betschmann Simon, Randdatenerhebung im Fernmeldeverkehr gemäss Art. 273 StPO, AJP 2019, S. 358 ff.
Donatsch Andreas/Lieber Viktor/Summers Sarah/Wohlers Wolfgang (Hrsg.), Schulthess Kommentar zur Schweizerischen Strafprozessordnung, 3. Aufl., Zürich 2020 (zit. SK-Bearbeiter/in, Art. … StPO N. …).
Graf Damian K., Corona- und Crypto-Leaks – die Strafverfolgung bewegt sich nicht im rechtsfreien Raum, Gastkommentar, NZZ vom 17.2.2023, abrufbar unter https://www.nzz.ch/meinung/was-darf-die-staatsanwaltschaft-die-corona-und-crypto-leaks-ld.1725348, besucht am 31.3.2025 (zit. Crypto-Leaks).
Graf Damian K., Kommentierung zu Art. 32 CCC, in: Graf Damian K. (Hrsg.), Onlinekommentar, Übereinkommen über die Cyberkriminalität (Cybercrime Convention), abrufbar unter https://onlinekommentar.ch/de/kommentare/ccc32, besucht am 31.3.2025 (zit. OK).
Forster Marc, Marksteine der Bundesgerichtspraxis zur strafprozessualen Überwachung des digitalen Fernmeldeverkehrs, in: Festgabe Schweizerischer Juristentag 2015, Zürich 2015, S. 615 ff.
Hansjakob Thomas, Die Erhebung von Daten des Internetverkehrs – Bemerkungen zu BGer 6B_656/2015 vom 16.12.2016, forumpoenale 4 (2017), 252 ff. (zit. Erhebung).
Hansjakob Thomas, Überwachungsrecht der Schweiz, Kommentar zu Art. 269 ff. StPO und zum BÜPF, Zürich/Basel/Genf 2017 (zit. Überwachungsrecht).
Niggli Marcel Alexander/Heer Marianne/Wiprächtiger Hans (Hrsg.), Basler Kommentar zur Strafprozessordnung/Jugendstrafprozessordnung, 3. Aufl., Basel 2023 (zit. BSK-Bearbeiter/in, Art. … StPO N. …).
Roth Simon, Die grenzüberschreitende Edition von IP-Adressen und Bestandesdaten im Strafprozess, Direkter Zugriff oder Rechtshilfe?, Jusletter vom 17.8.2015.
Schweingruber Sandra, Cybercrime-Strafverfolgung im Konflikt mit dem Territorialitätsprinzip, Jusletter vom 10. November 2014.
Seger Alexander, «Grenzüberschreitender» Zugriff auf Daten im Rahmen der Budapest Konvention über Computerkriminalität, Praxisbericht zum Stand der Arbeiten des Europarats, Zeitschrift für öffentliches Recht 73 (2018), S. 71 ff.
Walder Stephan, Grenzüberschreitende Datenerhebung: Ist und Soll, Kriminalistik 8-9/2019, S. 540 ff.
Materialis
Botschaft über die Genehmigung und die Umsetzung des Übereinkommens des Europarates über die Cyberkriminalität vom 18.6.2010, BBl 2010 4697 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2010/813/de, besucht am 31.3.2025.
Botschaft zum Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs (BÜPF) vom 27.2.2013, BBl 2013 2683 ff., abrufbar unter https://www.fedlex.admin.ch/eli/fga/2013/512/de, besucht am 31.3.2025.
Europarat, Cybercrime Convention Committee (T-CY), The Budapest Convention on Cybercrime: benefits and impact in practice, Strassburg, 13.7.2020, abrufbar unter https://rm.coe.int/t-cy-2020-16-bc-benefits-rep-provisional/16809ef6ac, besucht am 31.3.2025 (zit. T-CY, Benefits).
Europarat, Cybercrime Convention Committee (T-CY), T-CY Guidance Note # 10, Production orders for subscriber information (Article 18 Budapest Convention), Strassburg, 28.2.2017, abrufbar unter https://rm.coe.int/16806f943e, besucht am 31.3.2025 (zit. T-CY Guidance Note # 10).
Europarat, Cybercrime Convention Committee (T-CY), T-CY Cloud Evidence Group, Criminal justice access to electronic evidence in the cloud: Recommendations for consideration by the T-CY, Final report, Strassburg, 16.9.2016, abrufbar unter https://rm.coe.int/16806a495e, besucht am 31.3.2025 (zit. T-CY, Cloud).
Europarat, Explanatory Report to the Convention on Cybercrime, Budapest, 23.11.2001, abrufbar unter https://rm.coe.int/16800cce5b, besucht am 31.3.2025 (zit. Explanatory Report).