2,300 participants. 88,000 regulated cannabis transactions. 750 kilograms of legally purchased cannabis tracked through licensed pharmacies and clubs. These are the numbers from Zurich’s Züri Can pilot alone—and Zurich was sufficiently impressed that in October 2025 it requested CHF 800,000 in additional funding to extend the programme to 2028 and expand toward 3,000 participants.

Switzerland’s cannabis pilot programmes are not full legalisation. They’re something more carefully designed: time-limited, research-embedded, consent-based experiments that collect health and behavioural data about participants while supplying them with regulated cannabis. The data architecture required to do this ethically—under Switzerland’s nFADP and with GDPR considerations at the borders—is a model worth studying for every country building a cannabis framework.

The Federal Framework Behind the Pilots

Switzerland is not an EU member state and operates under its own distinct legal framework, including for data protection. The Federal Office of Public Health (FOPH—Bundesamt für Gesundheit, BAG) authorises cannabis pilot programmes under Article 8a of the Narcotics Act (BetmG), which was amended specifically to enable research-based cannabis experiments in municipalities.

The framework permits cities and cantons to apply for authorisation to run pilots, provided they:

  • Design the pilot as a scientific study with defined research questions
  • Obtain ethics committee approval (from cantonal ethics committees)
  • Implement informed consent procedures for all participants
  • Supply cannabis only from authorised Swiss producers
  • Collect and report data to the FOPH on outcomes

This structure means every Swiss cannabis pilot is simultaneously a regulated cannabis supply channel and a scientific research protocol. The dual nature creates both more rigorous participant protection requirements (ethics committee oversight, informed consent, right to withdraw) and specific data governance obligations (research data integrity, anonymisation requirements, retention limits tied to study completion).

Current active pilots: Zurich (Züri Can, launched 2023), Basel, Lausanne, Geneva, Bern, Winterthur, and Lucerne. Each operates under its own cantonal authorisation and ethics committee approval while reporting to the FOPH under the federal framework.

The nFADP: Switzerland’s GDPR-Adjacent Privacy Framework

Switzerland’s data protection framework—the Federal Act on Data Protection (FADP), fully revised as the new FADP (nFADP) in force since September 1, 2023—is structurally similar to GDPR but distinct in important ways.

Where nFADP aligns with GDPR:

  • Data minimisation principle: collect only what’s necessary
  • Purpose limitation: use data only for declared purposes
  • Security requirements: implement appropriate technical and organisational measures
  • Breach notification: notify the Data Protection Authority (FDPIC—Federal Data Protection and Information Commissioner) of high-risk breaches
  • Individual rights: access, correction, deletion, data portability

Where nFADP differs from GDPR:

Legal basis: nFADP permits processing based on “overriding private interests” (similar to legitimate interests) without the same level of documentation balancing test that GDPR requires. For cannabis pilot operators, this provides slightly more flexibility for processing research data under internal interest grounds—but consent remains the preferred basis for sensitive health data.

Extraterritorial reach: nFADP applies to processing that has effects in Switzerland, even if the processor is located outside Switzerland. For cannabis pilot data processed by FOPH contractors or research partners in EU member states, both nFADP and GDPR may apply.

No DPO mandatory requirement: Unlike GDPR, nFADP does not mandate a formal Data Protection Officer for all data controllers processing sensitive data at scale. However, organisations processing large volumes of sensitive health data are encouraged to appoint one.

Adequacy status: The EU has determined Switzerland provides an adequate level of data protection, allowing EU-to-Switzerland data flows without Standard Contractual Clauses. Swiss pilot programmes collecting data from participants who are EU nationals can transfer that data to Swiss research institutions without additional transfer mechanisms—a significant operational simplification versus the situation for non-adequate third countries.

Participant Data in the Züri Can Model: Privacy by Design in Practice

The Züri Can programme serves as the most detailed public example of Swiss cannabis pilot data architecture. It demonstrates privacy-by-design principles applied to a regulated cannabis context.

What participant data is collected:

At enrolment, participants provide: identity verification (Swiss ID or residence permit), age confirmation, Zurich residency confirmation, and baseline health assessment data. This baseline includes self-reported cannabis use history, health conditions, and any medications—data that is clearly sensitive under nFADP.

During the study, participants record purchase transactions through the pilot’s distribution points (pharmacies and authorised clubs). Each transaction is logged against the participant’s study identifier—not their legal name. The association between study identifier and legal identity is maintained in a separate, access-controlled registry by the study management team.

For research purposes, participants also complete periodic health surveys (quarterly in most designs) assessing consumption patterns, perceived health effects, sleep, anxiety, and other relevant metrics. These survey responses are linked to their study identifier.

The anonymisation architecture: The critical privacy-protective design element is the two-key structure. Participant identifiers in the research dataset are pseudonymous. The key linking study identifiers to legal identities is held by the ethics-committee-approved study management team, not by the FOPH or municipal cannabis supply points. This means the FOPH receives research data that is pseudonymous—they cannot identify individuals from their research data without going through the study management layer.

This design has a specific implication for law enforcement access: the FOPH cannot hand police a list of cannabis pilot participants without first going through the study management team, which has ethics committee obligations around data disclosure. The design deliberately creates friction against participant identification for non-study purposes.

Right to withdraw: Participants can withdraw from the study at any time. Withdrawal stops future data collection and entitles the participant to erasure of their identifiable data from the pseudonymisation registry. Research data collected to that point is typically retained in anonymised form (without the pseudonymous identifier) for research integrity purposes—an approach aligned with GDPR and nFADP research data exemptions.

The Cross-Border Complexity: Swiss-EU Border Regions

Switzerland’s geography creates a specific cross-border cannabis data challenge that doesn’t exist in landlocked EU member states. Basel sits directly on the French and German borders. Geneva borders France. Lausanne is in the canton of Vaud, close to the French border.

Participants in these border-region pilots may include individuals who:

  • Are EU nationals residing in Switzerland (subject to nFADP, no GDPR issues)
  • Are Swiss nationals residing in EU member states and commuting into Switzerland (potential GDPR questions if their data is processed in the EU)
  • Are French or German residents who participate in Swiss pilots while in Switzerland

The practical data protection question: if a participant enrolled in the Basel pilot is a French national who provides a French address in their baseline data, do their research records require GDPR compliance in addition to nFADP?

Swiss data protection experts generally take the position that nFADP adequacy status means EU nationals in Switzerland are protected by an adequate framework, eliminating the GDPR application question. However, if pilot data is transmitted to or analysed by EU-based research partners (which some pilots have engaged for specific study components), those partners are processing the data under EU jurisdiction and must comply with GDPR.

The most risk-averse approach—adopted by some pilot management teams—is to apply GDPR-equivalent standards across the entire pilot regardless of participant nationality, treating nFADP as the floor rather than the ceiling. This adds compliance overhead but eliminates jurisdictional ambiguity.

The Path to National Legalisation: What Pilot Data Means for Future Compliance

Switzerland’s Federal Council reviewed a draft Cannabis Products Act in 2025 that could enable nationwide adult-use legalisation. Parliamentary consultation feedback is expected through late 2026, with potential initial commercial rollout in 2027—contingent on parliamentary approval and federal referendum processes.

The pilot programmes serve a critical function in this trajectory: they generate the evidence base that will inform or undermine the legalisation proposal. FOPH researchers, RAND Europe analysts, and cantonal health authorities are all assessing pilot outcomes against control municipality data.

For the legalisation case, outcomes that matter most: reduction in illicit market activity in pilot municipalities, absence of significant public health deterioration, demonstration that regulated supply is operationally feasible, and evidence that participant data can be handled responsibly under a privacy-compliant framework.

That last point matters for compliance reasons beyond the political: the data architecture built for the pilots—pseudonymisation, ethics committee oversight, separation of identification and research databases—is being built by people who know it may become the template for a national regulated market. The privacy-first design is not incidental. It’s an explicit design goal intended to demonstrate that legal cannabis and privacy compliance are compatible.

What this means for operators watching Switzerland: If national legalisation proceeds in 2027, the compliance framework will be shaped by what the pilots taught. Operators entering the Swiss market should expect:

  • EU-GMP or equivalent quality standards for producers
  • Traceability systems with architecture similar to the pilot tracking
  • nFADP-compliant data handling for consumer/patient records
  • Ethics-committee-style data governance for any research components
  • Possible integration requirements with FOPH data systems

Building nFADP compliance competency now—for any international operator with Swiss market aspirations—is preparation that will compound.

Practical Guidance for Operators in or Entering Swiss Markets

Pilot programme participation (for applicants): If your municipality is seeking FOPH authorisation for a new pilot, the data governance documentation requirement is substantial. The ethics committee application must demonstrate a complete privacy impact assessment, participant consent architecture, pseudonymisation design, and breach response procedures before approval is granted.

Supply to pilots (for cultivators): Swiss cannabis pilot authorisations require supply from Swiss-licensed producers. Non-Swiss cultivators are not eligible to supply pilots under the current Narcotics Act framework. Watch for whether national legalisation legislation creates import pathways for EU-GMP certified non-Swiss producers.

Cross-border operators: If you operate in France, Germany, or Austria and have assets near the Swiss border, understand that Swiss pilot data cannot legally flow to your EU operations without appropriate transfer mechanisms—and participants’ identities are specifically protected from disclosure to non-study parties.

Technology vendors: Swiss pilots use bespoke software for participant management and transaction tracking. If you provide SaaS compliance solutions to cannabis operators, nFADP certification or equivalence documentation will be required for Swiss market entry. Align your security documentation with nFADP’s Article 8 technical and organisational measures—they parallel GDPR Article 32 closely enough that GDPR-compliant documentation is a strong starting point.

Switzerland’s cannabis experiment is the world’s clearest example of what privacy-by-design cannabis compliance looks like when it’s built from scratch with research integrity and participant protection as primary constraints. The rest of Europe is watching.

CannaSecure provides compliance guidance for cannabis operators and software vendors navigating Swiss nFADP requirements and cross-border EU-Switzerland data governance. Contact us to discuss Swiss market compliance.