The Conference of Swiss Data Protection Officers, Privatim, has severely restricted the usability of international cloud services – particularly hyperscalers like AWS, Google, or Microsoft – for federal authorities in a resolution. At its core, the resolution from Monday amounts to a de facto ban on the use of these services as comprehensive Software-as-a-Service (SaaS) solutions whenever particularly sensitive or legally confidential personal data is involved. For the most part, authorities will likely only be able to use applications like the widespread Microsoft 365 as online storage.

The background to the position is the special responsibility of public bodies for the data of their citizens. While cloud services appear extremely attractive due to their economies of scale and dynamic resource allocation, data protection officers see significant risks in outsourcing sensitive data to international public clouds. Regardless of the sensitivity of the information, authorities must always analyze and mitigate such risks, but for particularly sensitive or confidential data in SaaS solutions from large international providers, Privatim considers outsourcing inadmissible in most cases.

The experts cite a lack of protection due to insufficient encryption and the associated loss of control as the main reasons. Most SaaS solutions do not yet offer true end-to-end encryption that would exclude the cloud provider's access to plaintext data. However, this is the central demand: The use is therefore only permissible if the data is encrypted by the public body itself and the cloud provider has no access to the key.

Concerns about Cloud Act

Another point is the low transparency of globally operating companies. Swiss authorities can hardly verify compliance with contractual obligations regarding data protection and security, it is stated. This concerns both the implementation of technical measures and the control of employees and subcontractors, who sometimes form long chains of external service providers. Compounding this is the fact that software providers periodically unilaterally adjust contract terms.

Privatim is particularly concerned about the US Cloud Act. This can obligate providers there to hand over customer data to national authorities, even if the data is stored in Swiss data centers. Rules of international legal assistance do not have to be observed, the controllers complain. This creates considerable legal uncertainty, especially for data subject to a duty of confidentiality.

According to lawyer Martin Steiger most authority data is subject to a duty of confidentiality. Furthermore, meaningful use of many cloud services with continuous encryption is hardly possible. However, it remains to be seen whether the supervisory authorities will follow their words with actions this time. Cantonal controllers had already declared the use of Microsoft 365 generally inadmissible in the past, which had hardly any consequences. Nevertheless, the resolution presents authorities with challenges regarding their IT strategy.

(vbr)