AI and Swiss secret professionnel: the three DPA terms that decide whether the secret survives
For a Swiss avocat, professional secrecy is a criminal duty that outlives your practice. Whether an AI tool breaches it is not decided by the brand or the licence tier. It is decided by three terms in the vendor's Data Processing Addendum, and by one Swiss trap no data-protection clearance can fix.
tsukumo
It is 7pm in Geneva. Maître L., an avocate mid-way through a cross-border M&A dispute, needs a strategy note by morning. She opens consumer ChatGPT, deletes the client's and the target's names from the disputed share-purchase memo, pastes the rest, and tells herself two things: she will delete the chat after, and it is "EU-hosted" anyway. Every one of those instincts is wrong under the mechanics below. Not slightly wrong. Wrong in the way that converts a confidentiality duty into a criminal one.
Short version: whether a Swiss avocat using AI breaches secret professionnel is not decided by the brand or the licence tier. It is decided by three terms in the vendor's Data Processing Addendum: sub-processors, retention, and jurisdiction. Those decide whether the vendor is a supervised auxiliaire inside the secret (art. 13 al. 2 LLCA) or an unbound third party you revealed to (art. 321 CP). And no DPA term cures the CLOUD Act trap with art. 271 CP. The fix is architecture: hold the data and the keys.
Is your AI vendor an auxiliaire, or a third party you just revealed the secret to?#
Your vendor is one or the other, and a contract decides which. Art. 321 CP makes revealing a client secret to an outsider a crime. But art. 13 al. 2 LLCA puts your auxiliaires inside the secret with you. The Swiss bar (FSA/SAV, 2019) holds a cloud provider can be such an auxiliaire, so feeding it data is no révélation, on conditions.
Those conditions are the whole ballgame. The 2019 opinion is explicit: the provider counts as an auxiliaire only if the avocat chooses it, instructs it, supervises it, and holds the encryption keys. Meet them, and the data never left the circle. Miss one, and you did not delegate to a helper. You disclosed a secret to a stranger, and art. 321 does not care that the stranger was a famous AI company. (The 2019 opinion predates the nLPD, so its data-protection cross-references are superseded; its reasoning on the secret itself still holds.)
The US gives an illustrative echo, and only an echo. In Kovel (2d Cir, 1961) a third party brought in to help a lawyer can sit inside privilege as an agent. But in US v. Heppner (SDNY, Rakoff J., oral ruling 10 Feb 2026), documents a defendant made with consumer Claude were held not privileged: no lawyer involved, no reasonable expectation of confidentiality, not for legal advice. The court noted they "might have been" protected if counsel had directed the tool under confidentiality. (Those quotes are firm-summary renderings, not verbatim from a slip opinion.) Direction and confidentiality are the hinge. Same hinge as the auxiliaire test.
What are the three DPA terms that decide whether the secret survives?#
Three contract terms decide whether your vendor is inside the secret or outside it. Not the logo. Not the price tier. The sub-processor clause, the retention clause, and the jurisdiction clause. Read them in that order and you can tell, before you paste anything, whether the tool is an auxiliaire or a witness to your breach.
No-training plus retention / zero data retention answers: is it even confidential. If the vendor trains on your inputs, or keeps a custodial copy, your client's secret is now sitting in a corpus and a log you do not control.
The sub-processor chain plus the onward-disclosure clause answers: to how many third parties did you actually disclose. Every sub-processor extends the auxiliaire circle you are supposed to be supervising, and every one of them is independently reachable by subpoena or by the CLOUD Act. An open-ended "we may use sub-processors" clause is an open-ended list of strangers.
Jurisdiction plus direction / instruction answers: is the vendor inside the circle at all. A DPA that makes the vendor act on your documented instruction, bound by your secret, under a forum you can name, is the difference between an auxiliaire and a third party.
Map each term to the duty and the picture is clean: term one is confidentiality, term two is the size of your disclosure, term three is whether disclosure happened at all.
Three gates. Pass all three and the vendor is a directed, secrecy-bound auxiliaire. Fail one and you have a third party you disclosed to.
“The brand on the login screen tells you nothing. Three clauses in the DPA tell you whether the secret survived contact with the tool.”
Because residency, retention, and the CLOUD Act are three different mechanisms, and only the first is about geography. Data residency controls where bytes are stored. Zero data retention controls whether the provider keeps a copy. The CLOUD Act controls neither: it lets a US authority compel a US-jurisdiction provider to produce data wherever in the world it sits.
Buyers collapse these three into one feeling of safety. They are not the same, and the gaps between them are where the secret leaks.
Three mechanisms people treat as one
Data residency
Zero data retention
CLOUD Act
What it controls
The physical location where data is stored
Whether the provider keeps a custodial copy after the request
Nothing you hold: it lets a US authority compel a US-jurisdiction provider anywhere
What it does NOT stop
A US-jurisdiction provider being compelled regardless of where bytes rest
A court ordering preservation that overrides the default; non-eligible features still log
Storage in Switzerland: location is irrelevant to a control-based order
Failure mode
You read "CH-hosted" as "out of US reach". It is not
Misuse-flagged traffic held up to two years; some features are not ZDR-eligible
Compelled production may bypass entraide and run into art. 271 CP
Two honesty notes. First, "Swiss-hosted Claude" as a first-party Anthropic product does not exist today: the workspace geography value is "us" only, so a Swiss deployment rests on an EU-region partner cloud, Swiss sovereign hosting, or a self-hosted open model. Say that plainly to your client. Second, zero data retention is narrower than people assume: misuse-flagged traffic can be retained up to two years, and some features are excluded from ZDR. "We keep nothing" is usually "we keep nothing, except".
What is the Swiss trap a GDPR-style analysis misses?#
Art. 271 CP: handing Swiss-protected data to a foreign authority outside entraide is a sovereignty crime, and no data-protection clearance touches it. In ATF 148 IV 66 (TF 6B_216/2020, 2021), a wealth manager who gave Swiss-collected client data to the US DOJ on a USB key, outside the mutual-assistance channel, was convicted under art. 271 CP. Swiss data reaches a foreign state through entraide, or it reaches it unlawfully.
Now the honest extension, flagged as exactly that. The precedent involved a voluntary hand-over. Whether a vendor's compelled CLOUD Act production triggers art. 271 against the Swiss professional is an analytical risk extension, not a settled holding. We will not pretend a court has ruled what it has not. But the direction of the statute is unmistakable, and "my US vendor was forced to" is not obviously a defence when you chose a vendor that could be forced.
And this is the trap a data-protection-only analysis walks straight past. The Swiss-US Data Privacy Framework adequacy is live (the US was added to Annexe 1 OPDo, in force 15 September 2024), which clears the nLPD transfer rule in art. 16. It does nothing for art. 321 or art. 271. A transfer can be fully nLPD-compliant and still a criminal breach of the secret and of Swiss sovereignty. The DPF is also revocable and Schrems-fragile: building a confidentiality posture on an adequacy decision is building on a decision that can be annulled.
No. "Delete" is a request to a custodian a court can overrule. In NYT v. OpenAI (SDNY 1:23-cv-11195), Magistrate Judge Ona Wang ordered OpenAI on 13 May 2025 to preserve all consumer logs, including ones users had already deleted. On 7 November 2025 the court ordered 20 million de-identified logs produced.
20 million
de-identified consumer ChatGPT logs a US court ordered produced (NYT v. OpenAI, 7 Nov 2025)
after the same court had already ordered preservation of deleted chats
Source: NYT v. OpenAI, SDNY 1:23-cv-11195
Read the carve-outs, because they are the lesson. Enterprise, zero-data-retention, and EEA / Switzerland / UK traffic were excluded from the order. OpenAI even suspended EU Article 17 erasure requests to comply with the preservation. So deletion was overridden by a court for everyone except the customers sitting behind a different architecture. Maître L.'s "I'll delete it after" was never a control. It was a request to a third party that a foreign judge could, and did, override.
No. Stripping names is pseudonymisation, not anonymisation, and pseudonymised data is still personal data. Under revDSG art. 5, data stays personal as long as the person is identifiable. So the secret still attaches, names or no names.
There is a live tension worth stating honestly. The EDPB (Guidelines 01/2025) treats pseudonymised data as always personal data. The CJEU (EDPS v SRB, C-413/23 P, 4 September 2025) makes the personal-data status relative to the recipient's reasonable means of re-identification. Under either reading, Maître L. loses. The model holds her full session: the prior turns, the deal specifics, the shape of the dispute. It has the means to re-identify the "anonymous" parties from context she herself supplied. So to the vendor the data is still personal, and the secret still travels with it. Deleting two names from a memo about one identifiable cross-border deal is not anonymisation. It is a feeling of safety.
So how does a Swiss firm actually use AI without breaching the secret?#
With architecture, not a policy PDF. You cannot train your way out of this at the paste button. You build a perimeter where the secret physically cannot leave the circle of people bound to keep it, and where the contract makes the vendor one of them.
Concretely, four things working together:
A controlled doc layer the firm holds as the single canonical source of truth, so client files live in one governed place instead of scattered across chat histories. This is the canonical-doc-layer pattern.
Customer-held encryption keys, so the provider cannot decrypt the content. If the vendor holds no usable plaintext, a compelled foreign-access order reaches ciphertext, which is the posture the FDPIC points to when it tells controllers to encrypt before the cloud.
Region-pinned inference: an EU-region partner cloud, Swiss sovereign hosting, or a self-hosted open model, chosen on purpose and named to the client.
A DPA that makes the vendor a directed, secrecy-bound *auxiliaire: a closed and approved sub-processor list with secret-professionnel flow-down, no unilateral preservation for foreign proceedings, and a duty to challenge and redirect to *entraide and to notify you before any production.
Now replay 7pm. Maître L. opens the firm's controlled workspace, not consumer ChatGPT. The share-purchase memo is already inside the governed doc layer, encrypted under keys the firm holds. The model runs region-pinned, under a DPA that binds the vendor to her secret and forbids it from quietly preserving anything for a foreign court. She drafts the strategy note. Nothing crossed the line, because there is no path across the line. The difference between the two 7pms is not how careful she was. It is the architecture she was working inside.
One honest caveat, because this is fast-moving law. The rulings and defaults above were accurate as of 26 June 2026, and two points are contested rather than settled: art. 271 on compelled production is an analytical extension of a voluntary-hand-over precedent, and the DPF adequacy is live but revocable. Verify the current state of any case and any vendor term before you bet a client's secret on it. We push the boundary into architecture precisely because architecture holds still while policy pages and adequacy decisions do not.
We map where your client data physically goes today, then put the boundary into the system: controlled doc layer, customer-held keys, region-pinned inference, and a DPA that makes the vendor a secrecy-bound auxiliaire.
It can be. The Swiss bar (FSA/SAV, 2019) holds a cloud provider can be an auxiliaire, and disclosure to an auxiliaire is not a révélation of the secret. But only if the avocat chooses, instructs, and supervises that provider and holds the encryption keys. Without those, you have not used a helper. You have revealed the secret to a third party.
Does zero data retention stop a court subpoenaing my AI logs?
Not reliably. Zero data retention means the provider keeps no custodial copy by default, but a court can order preservation that overrides that default, as in NYT v. OpenAI. ZDR also has gaps: misuse-flagged traffic can be held up to two years, and some features are not ZDR-eligible. Retention is a setting a custodian can be ordered to change.
Can the CLOUD Act reach Swiss-hosted AI data?
Yes. The US CLOUD Act reaches on control, not storage location. A provider under US jurisdiction can be compelled to produce data wherever it sits, including Switzerland. Swiss data residency controls where bytes rest, not who can be ordered to hand them over. Control, not geography, decides reach.
Is pseudonymised data still personal data under the revDSG?
Yes. Under revDSG art. 5, pseudonymised data stays personal data because the person is still identifiable. The EDPB (Guidelines 01/2025) treats pseudonymised data as always personal; the CJEU (C-413/23 P, 2025) makes it relative to the recipient's means. Either way, an LLM holding your full session can re-identify, so the secret still attaches.
