Back to Blog
Legal

Swiss Data Protection and AI Detection Tools: What Schools Need to Know

10 min read

A New Data Protection Landscape

On September 1, 2023, Switzerland's revised Federal Act on Data Protection (nDSG, also known as revFADP) came into force, replacing a law that had been in effect since 1992. For Swiss schools and universities using AI detection tools, this legislation has significant implications. Combined with the European Union's General Data Protection Regulation (GDPR), which applies to many Swiss institutions that interact with EU residents, the regulatory environment demands careful attention.

This article provides a practical overview of the data protection requirements that Swiss educational institutions must consider when implementing AI detection tools, and explains how compliant solutions like AIDetector.ch address these requirements.

The New Swiss Federal Act on Data Protection (nDSG)

Key Changes from the Old Law

The nDSG represents a substantial modernization of Swiss data protection law, bringing it closer to the GDPR while maintaining distinctly Swiss characteristics. Key changes relevant to educational institutions include:

  • Enhanced transparency obligations: Data controllers must inform data subjects about the collection and processing of their personal data, including the purpose and any transfers abroad (Art. 19 nDSG)
  • Data protection impact assessments (DPIA): Required when processing is likely to result in a high risk to the personality or fundamental rights of data subjects (Art. 22 nDSG)
  • Privacy by design and by default: Technical and organizational measures must be implemented from the design stage (Art. 7 nDSG)
  • Strengthened rights of data subjects: Including the right to data portability (Art. 28 nDSG)
  • Stricter penalties: Fines of up to CHF 250,000 for individuals (not organizations, unlike the GDPR) who willfully violate certain provisions

What Counts as Personal Data?

Under the nDSG, personal data is defined as any information relating to an identified or identifiable natural person (Art. 5 lit. a nDSG). In the context of AI detection, this raises important questions: does a student's essay constitute personal data?

The answer is generally yes, for several reasons:

  • The text is typically submitted with the student's name and identification number
  • The writing style itself can be considered identifying information
  • The detection result — whether AI-generated or not — is information about the student
  • The combination of text content and metadata (submission time, course, etc.) makes identification trivial

GDPR Applicability for Swiss Institutions

Many Swiss educational institutions are also subject to the GDPR, even though Switzerland is not an EU member state. The GDPR applies when:

  • The institution offers services to individuals in the EU (e.g., accepting EU students)
  • The institution monitors the behavior of individuals in the EU
  • The institution uses data processors located in the EU

Swiss universities with international student bodies, exchange programs with EU universities, or partnerships with EU-based service providers frequently fall within the GDPR's scope. The University of Zurich, ETH Zürich, and EPFL, among others, have all adopted policies that comply with both nDSG and GDPR requirements.

Data Processing Requirements for AI Detection Tools

Legal Basis for Processing

Under both the nDSG and the GDPR, processing personal data requires a legal basis. For educational institutions using AI detection tools, the most relevant bases are:

  • Legitimate interest (nDSG Art. 31): Maintaining academic integrity is a legitimate interest of educational institutions. However, this must be balanced against the student's interest in privacy.
  • Performance of a task in the public interest (GDPR Art. 6(1)(e)): Public universities may rely on their mandate to maintain educational standards.
  • Consent: While possible, consent is generally not recommended as the primary legal basis in educational settings, because the power imbalance between institution and student may render consent not freely given.

Transparency and Information Obligations

Before submitting student work to an AI detection tool, institutions must inform students:

  • That their submissions will be analyzed by an AI detection tool
  • Which tool is being used and who operates it
  • What data is collected and how it is processed
  • How long the data is retained
  • Whether data is transferred to third countries
  • The students' rights regarding their data

This information should be included in course syllabi, institutional data protection policies, or both. The Federal Data Protection and Information Commissioner (FDPIC/EDÖB) has emphasized that transparency is a cornerstone of the nDSG.

Data Minimization

Both the nDSG and the GDPR require that only the minimum amount of personal data necessary for the specific purpose be processed. For AI detection, this means:

  • Only the text to be analyzed should be transmitted to the detection tool — not unnecessary metadata
  • Student names and identification numbers should be stripped before submission where possible
  • Detection results should be stored only for as long as necessary
  • The tool should not retain copies of submitted texts beyond the analysis period

Cross-Border Data Transfers

Many AI detection tools are operated by companies outside Switzerland. Under the nDSG, personal data may only be transferred to countries that ensure an adequate level of data protection, as determined by the Federal Council (Art. 16 nDSG). The Federal Council maintains a list of countries with adequate protection.

For countries not on this list (including, notably, the United States in certain contexts), additional safeguards are required, such as:

  • Standard contractual clauses (SCCs)
  • Binding corporate rules
  • Explicit consent of the data subject

This is where the choice of AI detection tool becomes critical. Tools that process data within Switzerland avoid cross-border transfer issues entirely.

How AIDetector.ch Complies

AIDetector.ch has been designed from the ground up to meet Swiss data protection requirements:

  • Swiss-hosted infrastructure: All data processing occurs on servers located in Switzerland, eliminating cross-border transfer concerns
  • Data minimization by design: Only the submitted text is processed; no unnecessary personal data is collected or retained
  • Automatic data deletion: Submitted texts and analysis results are not permanently stored
  • No training on user data: Submitted texts are not used to train or improve detection models
  • Transparent processing: Clear documentation of what data is processed and how
  • DPIA-ready: The platform provides the technical documentation needed for institutions to complete their data protection impact assessments

Comparison with EU Country Requirements

Swiss requirements align closely with those in EU countries, but there are notable differences:

  • Germany: The strictest approach in the EU, with individual Länder (states) data protection authorities frequently issuing guidance on educational technology. Several German states have restricted the use of certain AI detection tools due to data transfer concerns.
  • France: The CNIL has issued specific guidance on AI in education, emphasizing the need for human oversight in automated decision-making affecting students.
  • Austria: Similar to Switzerland in many respects, with the Austrian data protection authority (DSB) focusing on proportionality in educational data processing.

Switzerland's approach is generally considered pragmatic — protective of individual rights but not prohibitively restrictive, provided institutions take their obligations seriously.

Practical Steps for Schools and Universities

To ensure compliance when implementing AI detection tools, Swiss educational institutions should:

  1. Conduct a data protection impact assessment for the specific tool being considered
  2. Update privacy policies to include information about AI detection processing
  3. Inform students clearly about the use of detection tools, ideally at the beginning of each course
  4. Choose compliant tools that minimize data collection and ideally process data within Switzerland
  5. Establish data processing agreements with tool providers that meet nDSG requirements
  6. Train staff on the proper use of detection tools and interpretation of results
  7. Document everything — from the decision to use a tool to the procedures for handling flagged submissions

Looking Ahead

The intersection of AI detection and data protection will continue to evolve. The EU AI Act, which entered into force in August 2024, introduces additional requirements for AI systems used in education, classified as "high-risk." While the AI Act does not directly apply in Switzerland, it will likely influence Swiss regulatory thinking and the practices of tool providers serving the European market.

Swiss institutions that establish robust, compliant processes now will be well-positioned as the regulatory landscape continues to develop.

Sources

  • Swiss Federal Act on Data Protection (nDSG), AS 2022 491, effective September 1, 2023.
  • Federal Data Protection and Information Commissioner (FDPIC/EDÖB), "Guide to the new Federal Act on Data Protection," 2023.
  • Regulation (EU) 2016/679 (General Data Protection Regulation).
  • swissuniversities, "Data Protection Framework for Swiss Higher Education Institutions," 2023.
  • EDÖB, "Recommendations on the Use of Cloud Services in Education," 2023.
  • European Commission, "Regulation (EU) 2024/1689 — Artificial Intelligence Act," 2024.
  • Rosenthal, D., "Das neue Datenschutzgesetz," Jusletter, 16. November 2020.