Cloud Act: Risk-Based Approach That Doesn’t Like the Dealer

“Is the use of Microsoft 365 illegal in Switzerland?”, This is the question posed by expert lawyer Sylvain Métille, following a statement by the Federal Commissioner for Data Protection and Transparency (PFPDT). Adrian Lobsiger, in fact, reacted very critically to the risk analysis carried out by Suva with the aim of using Microsoft’s cloud environment. A use that would cover, in particular, emails, business correspondence, but also working and case management documents for accident insurance and military insurance.

Like other organizations (such as the Canton of Zurich assessed the risk of moving to the Microsoft cloud), Suva opted for a risk-based approach and David Rosenthal’s approach to deciding on the feasibility of a move to Microsoft 365, with particular focus on the Cloud Act and the danger of access to personal data by US authorities. Although nothing compelled him to do so, the insurer shared his analysis with the PFPDT in December – he took it badly.

In his position that he decided to publish (like Suva’s response), the Commissioner “welcomes the decision taken by Suva to subject its data outsourcing project to a review from a data protection point of view”, but above all, it issues numerous criticisms and suggests that the insurer “reassess its project as soon as possible”.

The Agent addressed several criticisms to the insurer. Starting with using David Rosenthal’s method instead of his own “Guide to Examining the Legality of Cross-Border Data Communication” published last year. The commissioner also criticizes Suva for assessing the interest that foreign authorities could have in his personal data, when nothing allows us to predict this – to which Suva retorts that the Cloud Act requires that requests be motivated. The Agent also criticizes the fact that Rosenthal’s analysis results in an accurate percentage of access risk, while multiplying the upstream estimates to calculate it.

Two criticisms with multiple implications

But these are two more fundamental criticisms that should be kept in mind because their impact is important for organizations facing the same issues to migrate to a US vendor’s cloud in the current uncertain situation.

Firstly, Adrian Lobsiger’s services criticize Suva’s choice to carry out an impact analysis, without considering in advance whether the use of cloud tools from Microsoft – an American company – is simply legal. In the opinion of Suva’s experts, the approach is justified when the contract is concluded with Microsoft Ireland (country with an adequate level of protection) and not with Microsoft in the United States (country considered not to offer sufficient guarantee since Schrems II) . An opinion that the Agent does not seem to share and that has significant implications, as Sylvain Métille points out: os, in the USA. If this decision were followed, it would mean that all service providers that have a connection to the US, even without data being transferred there or made available in any other way, would be excluded.”

Secondly, the Commissioner questions the very principle of a risk-based approach. Hence his argument: “In this context, the official wonders at least whether the risk-based approach is legally admissible and whether it can be invoked to justify the externalization of the data in question”. In its response, Suva is surprised to say the least: “Your explanations surprise us a lot; in fact, they contradict the point of view that you have held so far. You explain that after almost 30 years of LPD, the “risk-based” approach would suddenly no longer be valid for transfers abroad, without giving material reasons. However, it is precisely these reasons that would be important for us to know.” Citing several examples, the insurer believes that the risk-based approach is inherent in Swiss data protection law. And to add: “If Switzerland were to abandon the risk-based approach by autonomously following certain EU data protection authorities, it would mean that international transfers of data to states as states should be prohibited as a matter of principle.”

Willing to give a signal?

These discrepancies between the Agent and Suva are not insignificant. As we said, the issue is current for many organizations, especially administrations, against the backdrop of the debate around the sovereign cloud. While Suva sees in the official’s position a desire not to compromise the EU’s decision on Switzerland’s suitability, lawyer Sylvain Métille sees in it “an important warning for the administration, but also for all companies and individuals who process personal data”, even that he doubts the PFPDT’s willingness to apply his position.

Leave a Comment