UK, Switzerland & Non-EU Europe Voice AI Regulations 2026
Last updated on June 22, 2026
We build and advise on production AI systems. Bring your questions to a free intro call.
Talk to usNon-EU Europe is not a regulatory gap. It is a fragmented map with no single floor, where the rules that decide your exposure change at every border. A voice agent that records calls freely in London commits a criminal offence in Zurich. A product that ships EU customer data to a vendor in Tbilisi or Istanbul has no adequacy cover and needs explicit safeguards. And a UK or Swiss company that takes a single call from an EU resident is pulled back inside the EU AI Act regardless of where it sits.
This guide maps the markets outside the EU: the United Kingdom and Switzerland (the two commercial heavyweights, both with EU adequacy), Turkey and Ukraine (large markets with strict criminal recording rules), Georgia, and the Western Balkans. It is the companion to the EU and EEA founder’s guide and the US founder’s guide. The EEA states (Norway, Iceland, Liechtenstein) apply the GDPR in full and are covered in the EU/EEA guide.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. National rules change weekly, and several instruments cited below are at draft or pre-enactment stage. Verify current status before relying on anything here, and consult a qualified attorney for your situation.
How to read this guide: three axes and one long arm
Outside the EU there is no shared AI Act or GDPR applying by default. For each country, three things determine your real exposure:
- GDPR adequacy – whether the EU has ruled the country’s data protection “adequate.” If yes (only the UK and Switzerland among the countries here), EU-to-country data flows are unrestricted. If no (everywhere else), moving EU caller data there needs explicit safeguards (standard contractual clauses, explicit consent).
- Call-recording consent regime – one-party, all-party, or all-party backed by criminal law. This is the single most dangerous national divergence for a voice agent.
- AI-specific law – whether the country has any binding AI rule, a draft one, or nothing yet.
Then the long arm: the EU AI Act applies extraterritorially. Under Article 2, it reaches providers and deployers outside the EU whose system output is used in the EU. If your voice agent handles EU residents, the Article 50 disclosure duty (tell callers they are talking to AI, from 2 Aug 2026) binds you even from London or Zurich. The same is true of the GDPR under its own Article 3.
The reference table: adequacy, recording, AI law
| Country | EU GDPR adequacy | Recording consent (+ code) | AI-specific law |
|---|---|---|---|
| United Kingdom | Yes (renewed Dec 2025, valid to Dec 2031) | One-party for the act; GDPR/PECR disclosure for business use | No AI Act (pro-innovation); sandbox powers proposed |
| Switzerland | Yes (reconfirmed Jan 2024) | All-party, criminal (Criminal Code Art. 179bis / 179ter) | None yet; signed the Council of Europe AI Convention |
| Turkey | No | All-party, criminal (Penal Code Art. 132–134) | None in force; draft AI-content labelling law (Nov 2025) |
| Ukraine | No | All-party (Constitution Art. 31; Criminal Code Arts. 163/182) | None binding; voluntary code aligned to the EU AI Act |
| Georgia | No | All-party / consent-based (Law No. 3144) | None |
| Serbia | No | Per national law plus GDPR-aligned act | No binding law; national AI strategy aligned to the EU AI Act |
| Moldova, N. Macedonia, Albania, Montenegro, Bosnia | No | Per national law plus GDPR baseline | None binding |
United Kingdom
Jurisdiction stack: outside the EU, but governed by the UK GDPR plus the Data Protection Act 2018, which still hold a full EU adequacy decision (renewed in December 2025 and valid until 27 December 2031, so EU-to-UK data flows are free). No AI Act. Regulators: the ICO (data) and Ofcom (telecoms). If you serve EU residents, the EU AI Act and EU GDPR also reach you.
Where it bites:
- Voiceprints are Article 9 data, and the ICO enforces it. ICO biometric-recognition guidance treats a voiceprint used for identification or verification as special-category data, needing a lawful basis plus an Article 9 condition (usually explicit consent) and a DPIA. The clearest precedent: HMRC was ordered to delete around 5 million voiceprints collected through its voice-ID service without a valid lawful basis.
- AI marketing calls are already drawing fines. Automated or AI-voice marketing calls require prior specific consent under PECR. In September 2025 the ICO fined Home Improvement Marketing Ltd £300,000 and Green Spark Energy Ltd £250,000 for unlawful calls made with AI “avatar” software impersonating named UK agents. The Data Use and Access Act raised PECR’s fine ceiling to UK GDPR levels: up to £17.5 million or 4% of global turnover. Ofcom separately polices silent and abandoned calls (up to £2 million).
- Automated decisions got easier, except on biometrics. The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025, commenced in stages) liberalised solely-automated decision-making: significant automated decisions are now broadly permitted with safeguards (notice, a right to make representations, a right to human intervention) except where they rely on special-category data such as a voiceprint, where the stricter regime remains.
The AI posture: the UK has no AI Act and is not planning one. The 2026 King’s Speech announced a “Regulating for Growth” bill and sandbox powers rather than horizontal AI legislation, and DSIT launched an AI Growth Lab sandbox consultation in late 2025. There is no general “label your AI voice” statute; deepfake provisions sit in the Online Safety Act 2023 and the DUAA, and are abuse-focused, not commercial-voice labelling. The practical effect: lighter AI-specific friction than the EU, but real PECR and biometric enforcement.
Switzerland
Jurisdiction stack: outside the EU, governed by the revised Federal Act on Data Protection (revFADP / nFADP), in force since 1 September 2023, with a full EU adequacy decision (reconfirmed January 2024), so EU-to-Switzerland flows are free. Regulator: the FDPIC. No AI Act yet. EU residents pull in the EU AI Act and GDPR.
Where it bites:
- Recording without all-party consent is a crime. Swiss Criminal Code Article 179bis (recording by a non-participant) and Article 179ter (recording by a participant) make recording a non-public conversation without the consent of all participants a criminal offence. The FDPIC stresses that consent must be obtained before recording. Every recorded call in Switzerland needs an all-party consent gate, not a passive notice.
- Voice is sensitive data by statute. The revised FADP added biometric data that uniquely identifies a person to the “sensitive personal data” category, and the definition expressly covers voice recordings used for unique identification. Sensitive-data processing triggers heightened consent and security duties.
- Penalties land on individuals, not just the company. Switzerland has no GDPR-style administrative fines. Instead, the FADP imposes criminal fines of up to CHF 250,000 on the responsible natural person for intentional serious breaches (including breaching information duties or transfer rules). The FDPIC investigates and can order remediation but cannot itself levy fines.
The AI posture: no comprehensive AI law. Switzerland signed the Council of Europe Framework Convention on Artificial Intelligence on 27 March 2025 and plans targeted legal changes, with a consultation draft due by the end of 2026. The FDPIC confirmed in May 2025 that the FADP already applies directly to AI systems processing personal data, including a duty to inform people of solely-automated decisions with significant effects.
Turkey
Jurisdiction stack: governed by KVKK (Law No. 6698), amended by Law No. 7499 (effective 1 June 2024), which modernised the special-category rules and introduced a GDPR-style three-tier international transfer regime (adequacy, standard contractual clauses or binding rules, derogations). No EU adequacy decision. Regulator: the KVKK authority.
Where it bites:
- Recording is criminal and all-party. Turkish Penal Code Articles 132–134 make recording private conversations without all parties’ consent a crime: a participant who secretly records faces 6 months to 2 years, and third-party recording of a conversation 2 to 5 years (up to 6 years for intercepting the content of communications). The KVKK adds a lawful-basis and notice duty on top.
- Voiceprints are special-category data under KVKK Article 6, and the authority has issued a dedicated Guideline on Processing Biometric Data requiring explicit consent and enhanced security. Fines for data-security failures reach TRY 17 million in the 2026 schedule, alongside criminal liability for unlawful recording.
The AI posture: no comprehensive AI law in force, but a Draft Law on AI-Generated Content was submitted to Parliament in November 2025. It would mandate “Generated by Artificial Intelligence” labelling for synthetic content, a 6-hour takedown window, and BTK and KVKK enforcement, with fines of TRY 500,000 to 5,000,000. Treat AI-voice labelling as a likely near-term requirement.
Ukraine
Jurisdiction stack: governed by the pre-GDPR Law on Personal Data Protection No. 2297-VI (2010), light-touch and not EU-adequate. The GDPR-alignment reform, Draft Law No. 8153, passed first reading on 20 November 2024 but is not yet enacted. Regulator: the Parliament Commissioner for Human Rights (Ombudsperson).
Where it bites:
- Recording is all-party and constitutionally protected. Article 31 of the Constitution plus Criminal Code Articles 163 and 182 make recording lawful only with the recorded person’s consent or a court order. Get explicit consent at call start.
- Enforcement is modest today, but about to jump. Current fines are small (roughly €170 to €425). Draft Law 8153 would add GDPR principles, special categories (covering biometric voiceprints), an independent DPA, and fines up to UAH 150 million or 8% of turnover. Build to the GDPR now, because the reform is on the EU-accession track.
The AI posture: a deliberate bottom-up, voluntary-first approach aligned to the EU AI Act for accession. Ukraine published an AI Regulation Roadmap (2023) and White Paper (2024) and endorsed a voluntary Code of Conduct on ethical AI in December 2024. No binding AI law yet.
Georgia
Jurisdiction stack: governed by the GDPR-modelled Law on Personal Data Protection No. 3144 (main provisions in force 1 March 2024), but not EU-adequate. No AI law, no AI regulator, no national AI strategy.
Where it bites:
- Audio monitoring is consent-based. Recording is permissible with the data subject’s consent plus narrow exceptions; the controller must document purpose, scope, and retention, and notify the data subject in advance or promptly. Biometric data, including voiceprints, is special-category and needs explicit consent.
- The regulator just changed. The independent Personal Data Protection Service was abolished on 2 March 2026, with its functions moved to the State Audit Office, a change criticised over regulator independence. Penalties remain modest (roughly GEL 1,000 to 10,000, set partly by reference to turnover).
The Western Balkans and Moldova
None of these EU-candidate states holds an adequacy decision, and all are harmonising with the GDPR to varying degrees. For any EU caller data, build to the GDPR. AI-specific binding rules are largely absent; Serbia is the regional front-runner.
- Serbia. The Law on Personal Data Protection (2018, in force August 2019) is largely GDPR-harmonised, enforced by the Commissioner for Information of Public Importance and Personal Data Protection. Serbia is the regional AI leader: its national AI strategy (2025–2030) aligns with the EU AI Act, it hosted the Belgrade Ministerial Declaration on AI (December 2024), and it holds the GPAI presidency for 2025–2027.
- Moldova. EU candidate since 2022, modernising its data-protection law toward the GDPR. Regulator: the National Center for Personal Data Protection.
- North Macedonia. GDPR-aligned Law on Personal Data Protection (2020). Regulator: the Agency for Personal Data Protection.
- Albania. Adopted a new GDPR-aligned data-protection law (2024–2025). Regulator: the Information and Data Protection Commissioner.
- Montenegro. GDPR alignment ongoing; an accession frontrunner. Regulator: the Agency for Personal Data Protection.
- Bosnia and Herzegovina. Still on an older 2006 law, not yet fully GDPR-aligned (flag this gap). Regulator: the Agency for Personal Data Protection.
Across the region, treat the recording rule conservatively (consent at call start) and the AI layer as the EU AI Act applied extraterritorially whenever you serve EU users.
Sector overlays: finance and health
Outside the EU, the sector regulators add the binding ceiling, and neither the UK nor Switzerland regulates AI as a category. They pull a voice agent in by what it does.
UK finance: the duty to record, and the duty of good outcomes
The most distinctive rule in the region is a positive duty to record. Under FCA Handbook SYSC 10A (implementing MiFID II Article 16(7)), firms handling client orders must take all reasonable steps to record order-related calls, including calls intended to result in an order even if none does, and retain them for five years (extendable to seven) on firm-controlled, retrievable infrastructure. This is the inverse of the general one-party-permissive rule: client refusal does not waive it, and the firm must not take the order on an unrecorded channel.
On top sits the FCA Consumer Duty (in force 31 July 2023), which is technology-neutral and judges the outcome, not whether a human or a bot delivered it. A voice agent must produce understandable communications, avoid foreseeable harm, and detect vulnerability signals and route them to a human (FCA finalised guidance FG21/1). The FCA has stated it will not write bespoke AI rules; existing principles apply. Vendors are governed as a (material) outsourcing arrangement under SYSC 8 and the operational-resilience regime (SYSC 15A), with the regulated firm carrying the liability.
UK health and employment
A voice agent doing symptom assessment or triage can be software as a medical device under MHRA rules, where breach is a criminal offence (up to six months’ imprisonment and an unlimited fine); a booking bot is not. For workers, the ICO’s monitoring guidance states that continuous audio recording is “unlikely to be justifiable in most circumstances”, and its November 2024 AI-recruitment audit found tools inferring gender and ethnicity from voice and names without a lawful basis.
Switzerland: governance duties, but no duty to record
FINMA Guidance 08/2024 (18 Dec 2024) applies existing governance rules to any AI use by a supervised institution: an AI inventory, risk classification, testing, documentation, explainability, and independent review, with responsibility that cannot be outsourced. Outsourcing (Circular 2018/3) gives the institution, its auditors, and FINMA unrestricted audit rights over the vendor. Crucially, Switzerland imposes no general statutory duty to record client-order calls (FinSA requires documentation, not recording), the clean contrast with the UK. Where recording does happen, it is sensitive-data processing under the revised FADP, with the usual personal criminal liability up to CHF 250,000.
Turkey: a hard localisation wall
For banks, the BDDK’s IT regulation requires primary and secondary systems to stay on Turkish soil. Any cloud or AI voice vendor touching primary-system data must host it in Turkey, a binding architectural constraint that no contractual safeguard removes.
Everywhere else in this guide, recording is something you are permitted to do if you disclose it. For UK firms handling client orders, recording is something you are required to do. Under SYSC 10A, every order call (including attempted and abandoned orders) must be recorded on firm-controlled infrastructure and kept five to seven years, and a client’s refusal does not release the firm, it just means the order cannot be taken on that channel. Switzerland, by contrast, imposes no such duty at all. Same continent, opposite defaults.
Compliance Framework for Non-EU Europe
1. Fix data transfers by adequacy status
For the UK and Switzerland, EU caller data flows freely on the adequacy decisions. For every other country here (Turkey, Ukraine, Georgia, the Balkans), moving EU resident data in or out needs explicit safeguards: standard contractual clauses, or explicit informed consent, plus a transfer risk assessment.
2. Default to all-party consent
Switzerland, Turkey, and Ukraine impose criminal or constitutional all-party recording rules, stricter than the EU’s GDPR-only default. The UK is one-party but still needs disclosure for business use. Design a single audible all-party consent gate at the start of the call and it works across the whole region.
3. Treat voiceprints as sensitive everywhere
The UK (Article 9), Switzerland (sensitive data by statute), and Turkey (KVKK Article 6) all classify voiceprints as special-category or sensitive data needing explicit consent. The HMRC deletion of 5 million voiceprints is the cautionary precedent.
4. Assume the EU AI Act reaches you
If any of your callers are EU residents, AI Act Article 50 disclosure and the GDPR apply extraterritorially from your UK or Swiss base. Build start-of-call AI disclosure now rather than treating it as an EU-only problem.
5. Watch the reform pipeline
Ukraine (Draft Law 8153, fines to 8% of turnover), Turkey (the AI-content labelling bill), and Switzerland (the Council of Europe AI Convention implementation) are all moving. Today’s light-touch jurisdictions will not stay light-touch.
Regulatory Horizon (Next 12 Months)
| Development | Status | Practical preparation |
|---|---|---|
| UK adequacy | Renewed Dec 2025, valid to 27 Dec 2031 | Settled; no near-term SCC fallback needed |
| UK DUAA commencement | Royal Assent June 2025, staged | Apply the ADM safeguards; keep biometric decisions in the stricter lane |
| Turkey AI-content labelling law | Draft submitted Nov 2025 | Prepare “Generated by AI” labelling and takedown handling |
| Ukraine Draft Law 8153 | Passed first reading Nov 2024 | Build to the GDPR now; fines jump to 8% of turnover if enacted |
| Switzerland AI Convention | Signed Mar 2025; draft due end-2026 | Expect transparency and automated-decision duties to harden |
| Georgia regulator transition | Service abolished Mar 2026 | Re-confirm the competent authority before relying on guidance |
Conclusion
Outside the EU, there is no single rulebook to get right. There are three axes that decide your exposure country by country: adequacy (does EU data flow freely), the recording regime (one-party, or criminal all-party), and whether any AI law applies yet. The two markets worth real engineering effort, the UK and Switzerland, both hold EU adequacy but diverge sharply on recording: the UK is one-party with active PECR and biometric enforcement, while Switzerland makes an unconsented recording a crime and treats voice as sensitive data by statute.
The unifying move is simple. Default your call flow to all-party consent, treat every voiceprint as special-category data, and assume the EU AI Act’s Article 50 disclosure reaches you the moment an EU resident is on the line. Get those three right and the rest of the non-EU map becomes a transfer-safeguards and reform-tracking exercise, not a minefield.
Frequently Asked Questions
Yes, if your system’s output is used in the EU. AI Act Article 2 gives it extraterritorial reach, so a UK or Swiss voice agent handling EU residents must meet the Article 50 disclosure duty (tell callers they are talking to AI, from 2 August 2026) regardless of where the company sits. The GDPR applies the same way under its Article 3.
No. The UK is effectively one-party (a participant can record, with disclosure for business use), but Switzerland makes recording a non-public conversation without all participants’ consent a criminal offence under Criminal Code Articles 179bis and 179ter. You need an audible all-party consent gate before any audio is stored.
Among the markets in this guide, only the United Kingdom and Switzerland hold full EU adequacy decisions, so EU caller data flows to them without extra safeguards. Turkey, Ukraine, Georgia, and the Western Balkans do not, so transfers of EU resident data need standard contractual clauses or explicit consent plus a transfer risk assessment.
Yes. The ICO treats a voiceprint used for identification or verification as special-category biometric data under the UK GDPR, requiring a lawful basis, an Article 9 condition (usually explicit consent), and a DPIA. HMRC was ordered to delete around 5 million voiceprints collected without a valid lawful basis.
Yes. Automated and AI-voice marketing calls require prior specific consent under PECR. The ICO fined two companies a combined £550,000 in September 2025 for unlawful calls made with AI avatar software, and the Data Use and Access Act 2025 raised the PECR fine ceiling to £17.5 million or 4% of global turnover.
Switzerland for recording and biometrics (criminal all-party consent plus voice as statutory sensitive data), with Turkey close behind (criminal all-party recording plus a pending AI-content labelling law). Ukraine is also strict on recording today but light on enforcement, a balance that will shift once Draft Law 8153 is enacted.