Switzerland has an international reputation for data protection, discretion, and the rule of law. This reputation is a competitive advantage for Swiss companies, especially in regulated industries such as financial services, law, and healthcare. Yet this very advantage is being undermined by the way many companies deploy their AI tools.
Anyone who hands their data to a US cloud provider to use AI services is undermining the data sovereignty that their clients and customers expect. This is not a hypothetical risk. It is a legal reality.
What Data Sovereignty Means
Data sovereignty refers to the control over where data is stored, who can access it, and which legal system governs it. For Swiss companies, this means: data processed and stored in Switzerland is subject to Swiss law. Data processed by a US company is potentially subject to US law, regardless of where the server is located.
This distinction is not academic. It has concrete legal consequences.
The CLOUD Act Problem
The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was enacted in 2018. It gives US authorities the power to require US companies to hand over data, even when that data is stored outside the United States.
This directly affects Swiss companies that use services from Microsoft, Google, Amazon, or other US technology providers. Even if the data physically resides on a server in Zurich: if the provider is a US company (or has a US subsidiary), the US government can theoretically demand access.
For Swiss law firms, this is particularly problematic. Attorney-client privilege under BGFA Art. 13 is absolute. Disclosing client data to foreign authorities would be a serious violation. Similar confidentiality obligations apply to banks and asset managers. For healthcare providers, patient confidentiality protects the data.
The question is not whether US authorities actually access Swiss data. The question is whether the legal possibility exists. And it does.
The Swiss Federal Act on Data Protection (FADP)
The revised Swiss Federal Act on Data Protection (FADP), in force since September 2023, significantly tightens the requirements for handling personal data.
Data transfers abroad (Art. 16-18 FADP). Personal data may only be transferred to countries that ensure adequate data protection. The list of recognised countries is determined by the Federal Council. There is no general adequacy decision for the United States. Transfers require additional safeguards such as standard contractual clauses or the explicit consent of the data subject.
Controller obligations (Art. 5-8 FADP). Anyone processing personal data must take appropriate technical and organisational measures to ensure data security. Using AI services that send data to US servers may violate this obligation if adequate protective measures are not in place.
Criminal provisions (Art. 60-66 FADP). Violations of the FADP can now be punished with fines of up to CHF 250,000. Unlike the GDPR, the fines target natural persons, not companies. This means the managing director or data protection officer is personally liable.
GDPR Relevance for Swiss Companies
Swiss companies that process data of EU citizens or offer goods and services into the EU are additionally subject to the GDPR. The requirements for data transfers to third countries are even stricter under the GDPR than under the FADP.
Following the Schrems II ruling by the CJEU (2020), the EU-US Privacy Shield was invalidated. The EU-US Data Privacy Framework of 2023 provides a new basis, but its stability remains contested. Swiss companies relying on this framework are taking a regulatory risk.
Why This Is Especially Relevant for AI
AI systems process large volumes of data. An AI-assisted legal research tool reads client documents. A compliance tool analyses internal policies and financial data. A document analysis tool processes contracts containing confidential business information.
If this processing takes place on the infrastructure of a US company, all of this data is potentially subject to the CLOUD Act. This applies even when the provider promises not to read the data or to store it only in Europe. The legal access possibility exists regardless of contractual assurances.
There is also a technical risk: many AI providers use user data to train their models. Even if a provider states that it does not do this, the technical boundaries are often unclear. The safest solution is not to send data to providers whose data processing practices cannot be fully controlled.
What Swiss Companies Can Do Concretely
Data sovereignty is not an abstract goal. There are concrete measures companies can take.
Verify hosting location and operator
Where is the data processed? Who operates the infrastructure? A Swiss data centre operated by a US company offers no protection against the CLOUD Act. What matters is not the location of the server but the jurisdiction of the operator.
Do not treat contractual clauses as sufficient
Standard contractual clauses and data protection agreements provide a legal framework. But they cannot override the CLOUD Act. A US company that receives a government disclosure order must comply, regardless of contracts with Swiss clients.
Choose AI providers under Swiss jurisdiction
The most effective measure is to use AI tools from providers not subject to US jurisdiction. Swiss companies that operate their infrastructure in Switzerland and have no US parent company are not subject to the CLOUD Act. The data is exclusively subject to Swiss law.
Introduce data classification
Not all data is equally sensitive. Data classification helps determine the appropriate level of protection. Publicly available legal data may potentially be processed through international services. Confidential client data, trade secrets, or health data require Swiss sovereignty.
Evaluate the technical architecture
How does the AI system process the data? Is it sent to external APIs? Is it used for model training? Is it deleted after processing? Ask for technical documentation, not just marketing promises.
The Competitive Advantage of Data Sovereignty
Data sovereignty is not just a compliance obligation. It is a competitive advantage. Swiss companies that can demonstrate their data is exclusively subject to Swiss law differentiate themselves from international competitors.
For law firms, this means: clients trust that their data is protected. For financial services providers: customers know their asset data is not potentially accessible to US authorities. For companies generally: partners and clients in the EU value Swiss data protection standards as an alternative to US-dominated services.
In a world where AI tools are becoming standard, the question will not be whether a company uses AI. The question will be whether it uses AI without giving up control over its data.
Sovereign AI as a Swiss Answer
Switzerland has all the prerequisites to offer sovereign AI infrastructure: political stability, strong data protection laws, excellent technical infrastructure, and a legal framework that protects confidentiality.
What was previously missing were AI tools that leverage these prerequisites. That is changing.
The Enclava platform by Mont Virtua is fully hosted in Switzerland and operated by a Swiss company. No US corporate dependencies, no CLOUD Act risk, no data transfers abroad. All data is exclusively subject to Swiss law.
If data sovereignty is relevant for your company, we should talk. Contact us at [email protected] or visit our contact page.