AI Meeting Tools and Client Consent: What Swiss Law Requires

A consultant joins a video call with a new client. Fireflies.ai is already connected to the calendar, so the bot joins too, records the conversation, and generates a transcript. The audio is processed on US-based servers. The client’s name, voice, concerns, and business details are now stored by a third party they’ve never heard of, in a jurisdiction they didn’t agree to.

The consultant didn’t mention any of this. Under the nFADP (New Data Protection Act), that’s a problem, and the liability sits with whoever initiated the recording.

This article covers what Swiss law requires when you use AI-powered meeting tools with clients, how to handle consent properly, and a practical framework for staying compliant without abandoning the tools that make you productive.

What the nFADP requires for AI tool use

The nFADP doesn’t mention AI meeting tools by name. It doesn’t need to. Three core principles apply directly.

Duty to inform (Art. 19)

When you collect personal data, you must inform the data subject about the purpose, the identity of the controller, and any recipients or categories of recipients. A voice recording processed by Fireflies.ai involves collecting personal data (the client’s voice, statements, and potentially sensitive business information) and sharing it with a third-party processor (Fireflies). The client has a right to know this upfront.

Purpose limitation

Data collected for one purpose cannot be repurposed without additional consent. Recording a meeting for your own notes is one purpose. Feeding that recording to an AI that trains on user data, generates analytics, or shares aggregated insights is a different purpose. Check your tool’s terms of service carefully: many AI transcription services retain data for model improvement unless you explicitly opt out.

Data minimization

You should only collect what you need. If you only need action items from a meeting, a manual summary achieves the same result without recording the full conversation. The nFADP doesn’t prohibit recording, but it does require you to justify the scope of data collection relative to the purpose.

Recording meetings: what consent actually means

“I mentioned at the start that the call is being recorded” is common practice. It is also insufficient under Swiss law in most client-facing scenarios.

Explicit vs. implied consent

Implied consent (continuing the call after being told it’s recorded) is a weak legal position. The nFADP requires that data subjects be informed in a clear and comprehensible way. For recordings that involve third-party processing, best practice is explicit consent: the client actively agrees, ideally in writing or via a documented verbal confirmation.

For internal team meetings, the bar is lower. Employees can be informed through company policies and employment contracts. For external stakeholders (clients, prospects, partners), you need a more deliberate approach.

When to obtain consent

Before the recording starts. This sounds obvious, but many AI tools auto-join scheduled meetings or begin recording as soon as the call connects. If your tool has auto-record enabled, the recording may already be running before you’ve said a word.

Practical approach:

1. Disable auto-record and auto-join for external meetings
2. At the start of the call, explain what you’re recording, why, and where the data goes
3. Ask for explicit agreement before activating the tool
4. If the client declines, take manual notes instead

Verbal vs. written consent

Written consent (email, signed disclosure) creates a clear record. Verbal consent works legally but is harder to prove. A reasonable middle ground: send a brief email before the meeting explaining your recording practices, then confirm verbally on the call. The email serves as documentation.

Where does your data go?

The recording itself is only part of the picture. What matters equally is where the data is processed and stored after the call ends.

US-based AI services and the CLOUD Act

Most popular AI meeting tools (Fireflies.ai, Otter.ai, Grain, Fathom) process data on US-based infrastructure. The US CLOUD Act allows federal law enforcement to compel US-based companies to produce data stored on their servers, regardless of where the data subject is located. This creates a structural tension with Swiss data protection expectations.

The nFADP permits cross-border data transfers to countries with adequate data protection levels (listed by the Federal Council) or when appropriate safeguards exist (standard contractual clauses, binding corporate rules). The US is not on the adequacy list. That means using a US-based AI transcription service with client data requires either standard contractual clauses with the provider, explicit informed consent from the client that includes the cross-border transfer, or a risk assessment that the transfer is acceptable given the specific context.

EU/Swiss-hosted alternatives

Some providers offer EU data residency options. Microsoft Teams (with Copilot) can be configured for European data processing. Otter.ai and Fireflies.ai, as of this writing, process data primarily in the US. If data residency matters for your clients (and for regulated industries, it usually does), verify the provider’s data processing location before committing.

Encryption in transit and at rest

Ask whether the tool encrypts recordings in transit and at rest. End-to-end encryption is the gold standard, but rare among AI transcription services because the AI needs access to the unencrypted audio to generate transcripts. At minimum, look for TLS in transit and AES-256 at rest.

Beyond meeting tools: what else should you disclose?

AI meeting recorders are conspicuous because they literally join the call. But the same disclosure obligation applies to any third-party service that processes client personal data, even if the processing is invisible.

Cloud storage

If you store client files in Google Drive, Dropbox, or OneDrive, a third party has access to that data. Where are the servers? What are the provider’s data processing terms? Clients interacting with you have a reasonable expectation of knowing where their data lives.

Email and communication

Gmail scans email content for spam filtering and (depending on the plan) advertising. Enterprise plans typically have stricter data processing agreements, but the obligation to disclose remains.

Project management tools

Asana, Monday.com, Notion: if you track client project details in these tools, client names, project descriptions, and timelines are stored on third-party servers. The same transparency obligation applies.

Password and credential sharing

Sharing login credentials with clients? Use a password manager with secure sharing features rather than sending passwords over email or chat. This is both a security measure and a social engineering defense: training clients to expect credentials through a secure channel reduces the effectiveness of phishing attacks against them.

The general principle

If a third-party service processes client personal data, clients have a right to know. You don’t need to list every SaaS subscription in your tech stack. But a general disclosure covering categories of tools (cloud storage, communication, project management, AI-assisted transcription) and their data processing jurisdictions demonstrates good faith and satisfies the nFADP’s transparency requirement.

A practical pre-engagement framework

Compliance doesn’t require a legal department. A structured approach covers most scenarios.

Step 1: Audit your tools

List every service that touches client data. For each one, note:

• Data type: What client information does it process? (names, emails, voice recordings, files, project details)
• Data location: Where are the servers? (US, EU, Switzerland)
• Data retention: How long does the service keep client data? Can you delete it?
• Sub-processors: Does the service share data with its own third parties?

This audit takes an hour. Update it when you add new tools.

Step 2: Create a disclosure template

Draft a one-page document that covers:

• Categories of tools you use to process client data
• Data processing jurisdictions
• Your encryption and security measures
• How to request data deletion
• Your contact information for data protection inquiries

This goes to clients at the start of an engagement, ideally as an appendix to your service agreement or in a standalone email.

Step 3: Add consent language for recordings

If you use AI meeting tools, add specific language covering:

• The tool name and provider
• What data is captured (audio, video, transcript, speaker identification)
• Where the data is processed and stored
• How long recordings are retained
• How the client can opt out

A single paragraph in your engagement letter or a pre-meeting email handles this. The key requirement is that the information reaches the client before the recording, not after.

Step 4: Implement operational safeguards

• Disable auto-record for external meetings
• Set data retention policies in your AI tools (delete recordings after 30/60/90 days)
• Review and purge client data when engagements end
• Use a VPN when accessing client data from public networks
• Enable 2FA on every tool that processes client data

These habits reduce risk and demonstrate the “appropriate technical and organizational measures” the nFADP requires. For a broader walkthrough, see our freelancer security setup guide or the security tools for founders overview.

Compliant alternatives and mitigations

You don’t have to stop using AI productivity tools. But you should choose deliberately.

Prefer tools with EU/Swiss data residency

Where available, select providers that offer data processing within Switzerland or the EU. Microsoft Teams with European data residency is one option for organizations already in the Microsoft ecosystem. For self-hosted alternatives, tools like Jitsi Meet (open-source video conferencing) can run on Swiss infrastructure.

Self-hosted transcription

If you handle highly sensitive client conversations (legal, medical, financial), consider local transcription tools that process audio on your own machine. Whisper (OpenAI’s open-source speech recognition model) can run locally, keeping recordings off third-party servers entirely. The transcription quality is competitive with cloud services for most European languages.

Strengthen your file-sharing layer

Meeting recordings and transcripts need a secure home after the call. Sending recordings over email or storing them in a general-purpose cloud drive introduces unnecessary exposure. Tresorit offers zero-knowledge, end-to-end encrypted file sharing with Swiss data residency, making it well-suited for storing and sharing sensitive meeting artifacts with clients. Files are encrypted before they leave your device, so even the storage provider cannot access the content.

Contract-level mitigations

If switching tools isn’t practical, mitigate through contracts:

• Add data processing disclosures to your service agreements
• Include standard contractual clauses for cross-border transfers
• Document your risk assessment for each tool
• Offer clients the option to decline recording

This won’t eliminate the structural issues with US-based data processing, but it puts you in a defensible position and satisfies the nFADP’s transparency requirements.

Putting it together

AI meeting tools deliver real productivity gains. The legal requirements around them are manageable: inform clients before recording, explain where data goes, obtain explicit consent, and document your practices. A one-page disclosure and a consistent pre-meeting habit cover most of the obligation.

The broader lesson extends beyond meeting recorders. Every SaaS tool in your stack that processes client data creates a disclosure obligation. An annual tool audit and a clear client-facing disclosure document turn this from an ongoing worry into a solved problem.

A note on legal advice: This article provides general guidance on consent and disclosure obligations under Swiss law. It is not legal advice and does not replace consultation with a qualified attorney. Requirements vary depending on your industry, client relationships, and the specific tools you use. If you need help drafting disclosure documents or consent language, consider consulting a lawyer specializing in Swiss data protection law. Platforms like GetYourLawyer can help you find one.

---

For links on this page, NeoGuard may earn a commission from the provider. This supports our work and has no influence on our editorial recommendations. See our privacy policy for details.