▸ Compliance and Applicable Law
Quad9 is entirely and fully subject to Swiss data protection law including the Swiss Federal Act on Data Protection (FADP) and its corresponding ordinance with regard to all Quad9’s users, regardless of their citizenship or country of residence. Compliance with Swiss data protection law is subject to the independent supervision of the Swiss Federal Data Protection and Information Commissioner (FDPIC), which is responsive to data subjects (Quad9 users) throughout the world. While the European Commission considers Switzerland as providing an equivalent level of protection the General Data Protection Regulation (GDPR), Quad9 is also specifically subject to the GDPR with regard to Quad9 users in the European Union, Iceland, Liechtenstein, and Norway. Quad9 users in those countries also have the option of turning to their domestic data protection authority, which will liaise with Quad9’s European data protection representative in Hamburg, Germany.
Quad9 operates under a finding of law by the Swiss Post and Telecommunications Surveillance Service that the Swiss Federal Act on the Surveillance of Post and Telecommunications (SPTA; SR 780.1) does not apply to Quad9, and that Quad9 therefore is not required to fulfill any obligations under the SPTA and its implementing ordinances. These would otherwise include obligations of data collection and retention for use by Swiss law enforcement and intelligence authorities.
Quad9 operates under a finding of law by the Swiss Federal Office of Communications that Quad9 is not a "telecommunications service" as defined by the Swiss Telecommunications Act (TCA, SR 784.10), and that Quad9 therefore is not required to fulfill applicable obligations under the TCA and its implementing ordinances. These would otherwise include "know your customer" ("KYC") obligations.
Switzerland does not have any other laws which would allow the Swiss government to compel Quad9 to collect personal data, nor does Swiss law allow the Swiss government to compel Quad9 to secrecy regarding its actions or compliance with the law.
Countries other than Switzerland may assert legal authority to compel Quad9 to produce personal information, but enforcement of any such request must be enacted through a Mutual Legal Assistance Treaty (MLAT) request directed to the Swiss Federal Office of Justice, which must first assess the request for compliance with standards of human rights, and then must assess whether the requested action can be effected through the action of Swiss law. Given the above findings of law, there may be no such mechanism available. Furthermore, Quad9 does not collect personal information, and is thus not in possession of it, and is therefore unable to provide it. Please see our transparency policy for details of any such requests received by Quad9.
Quad9 regards Internet Protocol ("IP") addresses associated with its users to be Personally Identifiable Information ("PII"). Quad9 uses the union of the definitions of PII contained in Swiss law (Article 3 (a) FADP), United States Law (2 CFR § 200.79) and European Union law (Article 4(1) GDPR), with the definition which extends the greatest protection to the user controlling in the event of any conflict between the three, and we extend that most stringent protection to all of Quad9's users, regardless of their citizenship or domicile.
External links
Memorandum - Swiss data protection law
Swiss Federal Data Protection and Information Commissioner (FDPIC)
General Data Protection Regulation (GDPR)
Finding of law - Applicability of swiss surveillance law
Swiss Post and Telecommunications Surveillance Service
SPTA; SR 780.1 - Swiss Federal Act on Data Protection
Finding of law - Applicability of Swiss KYC law
Swiss Federal Office of Communications
TCA, SR 784.10 - Swiss Federal Act on Data Protection
Mutual Legal Assistance Treaty - Wikipedia
Swiss Federal Office of Justice
Article 3 (a) FADP - Swiss Federal Act on Data Protection
2 CFR § 200.79 - United States law
Article 4(1) GDPR - European Union regulations