(May 18, 2020) On May 13, 2020, the Swiss Federal Council—the Swiss government—adopted a temporary regulation that sets out rules for the organization, operation, processing of data, and use of the “Swiss Proximity-Tracing-System” (Swiss PT-System, SPTS) for the duration of the pilot project. (COVID-19 Regulation on Proximity Tracing Pilot art. 1.) The SPTS will notify people who have been potentially exposed to COVID-19. The temporary regulation entered into force on May 14, 2020, and will expire on June 30, 2020. (Art. 21.) The Federal Council is planning on adopting legislation on the regular operation of the app in its next session on May 20, 2020. The Swiss Parliament is slated to discuss and adopt that legislation during its summer session in June.
The app will be tested by employees of the Swiss technical universities in Lausanne and Zurich, members of the military, employees of hospitals, and employees of the federal and cantonal administrations. Furthermore, it will be made available to additional people and organizations that are willing to the test the system to detect technical deficiencies and usability problems. (Art. 6.)
As of May 18, 2020, 30,597 people had tested positive for COVID-19 in Switzerland and Liechtenstein. 1,603 people had died.
Content of the Regulation
Aim of the Pilot Project
The pilot project aims to test and evaluate the SPTS with regard to its final introduction, in particular the approaches developed concerning the system’s decentralized data processing and cryptographic methods, the stability of the operating system, safeguards against accidental or unauthorized data processing, user-friendliness, and understandability of the information for participants and authorized staff. (Art. 2.) The SPTS and the processed data will be used to notify participants who have been potentially exposed to the coronavirus and to prepare statistics with regard to the coronavirus. Data protection rules will be complied with. (Art. 3.)
Structure and Operation of the SPTS
The SPTS is composed of a system for managing proximity data (VA-system), which is made up of software that participants install on their mobile phones (app) and a VA-backend, and a code administration system, which is made up of a web-based frontend and a backend. The VA-backend and the code administration system will be operated on a central server by the Swiss Federal Office of Public Health (BAG). (Art. 4.)
The VA-backend provides a list with the following data on demand to the apps:
- the private keys of infected participants that were current at the time that an infection of other people was possible (relevant time frame), and
- the date of each key. (Art. 10, para. 1.)
The app generates a new private key each day; continuously sends an identification code, via Bluetooth, that changes every 15 minutes and is based on the current private key; and continuously checks whether it receives compatible signals from other mobile phones. If the mobile phones of two participants come within two meters or less of each other, the app will save the current identification code, the signal strength, the date, and the approximate duration of the proximity event. The proximity will be estimated using the signal strength.
Furthermore, the app will periodically request the list of private keys of infected participants from the VA-backend, determine the relevant identification codes on that basis, and match them with the locally stored identification codes. Once the app determines that a participant has been within two meters or less of an infected person and the aggregated sum of all those proximity events has been at least 15 minutes, a notification is issued. (Art. 10, para. 2.) The notification includes the information that the participant has been potentially exposed to the coronavirus, the date of that exposure, and the BAG’s recommendations for addressing the potential exposure. (Art. 12.)
Process in the Event of Infection
An infected person who has downloaded the app will need to contact a person who has access to the code administration system, such as his or her attending physician, to receive a one-time code that expires in 24 hours. The person with access to the code system also registers the date when the first symptoms occurred or the date of the test, if the infected person is asymptomatic. The infected person enters the code in the app. (Art. 11, paras. 1, 2; art. 15.) There is no requirement to report a positive test result. (FAQ, question 25.)
The code administration backend confirms to the app that the code is valid and subtracts a maximum of three days from the date that the BAG entered. This date is the beginning of the relevant time frame. The date is transmitted to the app of the infected person. The app in turn transmits the private keys and dates that were current in the relevant time frame to the VA-backend. The VA-backend records these private keys and the corresponding dates on its list. The app generates a new private key after the infection has been reported. It is not possible to deduce older private keys from the new key. (Art. 11, paras. 3–6.)
Data Protection and Privacy
In general, the Federal Data Protection Act applies to the processing of data. (Art. 8, para. 5.) The BAG is designated as the controller of data for all components of the SPTS. (Art. 9.) The installation of the app and the use of the SPTS are voluntary for all participants. The notification that someone has been potentially exposed to the coronavirus will be sent only with the explicit consent of the infected person. (Art. 7.) Technical and organizational safeguards must be in place to prevent identification of the participants. (Art. 8, para. 1.) Data concerning other participants stored on the mobile phone of a participant will be processed and stored only on that mobile device. (Art. 8, para. 2.) The SPTS will not receive location data or process it in any other way. (Art. 8, para. 3.) The source code and the technical specifications of all SPTS components will be made publicly available. (Art. 8, para. 4.)
Deletion of Data and Deinstallation of the App
The VA-system data will be deleted from the mobile device and the VA-backend 21 days after they have been recorded. The data of the code administration system will be destroyed 24 hours after they have been recorded. (Art. 18.) The institutions and organizations that participated in the pilot project will ask the participants to delete the app after the conclusion of the pilot or, if the SPTS is to be continued, ask them to install the final version of the app if they are still willing to participate. (Art. 19.)
The Swiss Federal Department of Home Affairs is responsible for evaluating the pilot project and is to continuously report its findings to the Federal Council and the Swiss Parliament. (Art. 20, para. 1.) It is also tasked with preparing a final report for the Federal Council one month after the conclusion of the pilot project. (Art. 20, para. 2.)