Skip to main content

Glossary International law

BÜPF

Also: Federal Act on the Surveillance of Post and Telecommunications, Bundesgesetz über die Überwachung des Post- und Fernmeldeverkehrs

Origin: Bundesgesetz über die Überwachung des Post- und Fernmeldeverkehrs (BÜPF), revised version in force 1 March 2018.

The Swiss federal statute governing lawful surveillance of telecommunications, including the data-retention duties imposed on Swiss telecommunications providers and the procedural framework under which such surveillance is judicially authorised. The 2018 amendments expanded the scope to include some over-the-top services.

Reviewed

The BÜPF — the Bundesgesetz über die Überwachung des Post- und Fernmeldeverkehrs, “Federal Act on the Surveillance of Post and Telecommunications” — is the statute that sets out the conditions under which Swiss authorities may surveil telecommunications, the duties of telecommunications providers to assist in such surveillance, and the procedural review under which lawful interception must be authorised. It is the operational counterpart to the substantive law on serious crime and counter-terrorism: where the criminal procedure code defines what the authorities are trying to investigate, the BÜPF defines what telecommunications providers must do to help.

The 2018 revision expanded the scope of the duties from traditional telecommunications providers — telcos, internet-service providers in the classical sense — to include some “derived services” (Abgeleitete Dienste), defined operationally as services that “facilitate communication.” The expansion was contested at the time and has been litigated since; the leading case, ProtonMail v UVEK, addressed whether an end-to-end-encrypted email provider met the statutory definition.

The substantive position the statute imposes on a telecommunications provider is fact-specific. A provider classified as a “full” telecommunications service-provider faces a six-month data-retention duty over metadata (sender, recipient, time, duration) and must operationally provision interception capabilities at the request of the federal Post and Telecommunications Surveillance Service. A provider classified as a “derived service” is subject to a thinner set of duties — broadly, compliance with specific authorised intercept orders rather than standing retention.

For an offshore-hosting operator with Swiss presence the practical question is how the operator’s particular service classifies under the statute. The publication’s Switzerland jurisdictional dossier sets out the operator’s view, drawn from the case-law as it stands at last review. The operator is not classified as a full telecommunications service-provider and accordingly carries no standing metadata-retention duty.