The conference of Swiss data protection officers, Privatium, has in a resolution severely restricted the usefulness of international cloud services – especially hyperscalers like AWS, Google, or Microsoft – for federal authorities. At its core, Monday’s resolution amounts to a de facto ban on the use of these services as comprehensive software-as-a-service (SaaS) solutions whenever particularly sensitive or legally confidential personal data is involved. For the most part, executives will probably only be able to use applications like the broader Microsoft 365 as online storage.
The background to this position is the special responsibility of public bodies for the data of their citizens. While cloud services seem extremely attractive due to their economies of scale and dynamic resource allocation, data security officials see significant risks in outsourcing sensitive data to an international public cloud. Regardless of the sensitivity of the information, authorities should always analyze and mitigate such risks, but for particularly sensitive or confidential data in SaaS solutions from large international providers, Privatim considers outsourcing unacceptable in most cases.
Experts cite lack of security and loss of control due to inadequate encryption as the main reasons. Most SaaS solutions do not yet offer true end-to-end encryption that would exclude the cloud provider’s access to plaintext data. However, this is the central demand: the use is therefore only acceptable if the data is encrypted by a public body and the cloud provider has no access to the key.
Concerns about Cloud Act
Another point is the low transparency of companies operating globally. It is said that the Swiss authorities can hardly verify compliance with contractual obligations regarding data protection and security. This concerns both the implementation of technical measures and the control of employees and subcontractors, who sometimes form long chains of external service providers. This includes the fact that software providers unilaterally adjust the terms of the contract from time to time.
Privatim is particularly concerned about the US Cloud Act. It could force providers there to hand over customer data to national authorities, even if the data is stored in Swiss data centres. Controllers complain that international legal assistance rules are not followed. This creates considerable legal uncertainty, especially for data subject to a duty of confidentiality.
According to lawyer Martin Steiger most authorities are subject to a duty of data confidentiality. Furthermore, meaningful use of many cloud services is hardly possible with continuous encryption. However, it remains to be seen whether supervisory authorities will follow through on their words this time. The cantonal controllers had already declared the use of Microsoft 365 generally unacceptable, with hardly any consequences. Nevertheless, this proposal presents challenges to executives regarding their IT strategy.
(vbr)
Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.
<a href