When the public sector authorities use foreign cloud providers for data storage
Digital sovereignty is one of three annual focus topics of the “Digital Switzerland Strategy”. It is about the question of how dependencies in the digital world can be reduced. One concrete application is the public authority cloud: Is a Swiss administration allowed to store its data with a foreign cloud provider? Yes, concludes a panel of legal experts – although additional measures are necessary to protect citizens.
“If we hadn’t had the whole story with Snowden and the NSA, everyone would be a little less excited,” explains Esther Zysset at the panel discussion on the city of Zurich’s public authority cloud. The public law expert discusses with Christian Laux the expert opinion that his law firm wrote for the city of Zurich. It certifies that the outsourcing of the public authority cloud to servers of foreign manufacturers is not a problem for the City of Zurich from a legal point of view. The panel is a joint event of the Bern University of Applied Sciences (BFH) and the Swiss Data Alliance, an independent think tank for constructive data policy. Rika Koch from the BFH’s Public Sector Transformation Institute will moderate the discussion.
The three experts agree that when a public authority moves its data into the cloud, it bears a responsibility – it must know what is happening technically, but also what contractual and legal framework conditions exist. That is why there is no need for an additional law, argues Christian Laux: “The political discussion must not hide behind the legal questions. Because the legality and proportionality of a cloud solution for government data is primarily a question of correct, careful implementation.”
Indeed, the breakdown of responsibility according to political will, technical framework conditions and concrete requirements for a respective organisational unit makes sense, attests Esther Zysset. “What is difficult, however, are the aspects that have to do with foreign involvement.” There would be no adequate legal protection for citizens if, for example, a foreign authority demanded the surrender of data about a person. Christian Laux agrees: “It is no longer possible to guarantee 100% that the data will not be accessed in the event of legal proceedings abroad. There is a need for action here at the federal level.”
However, the experts have fewer concerns with regard to access by intelligence services, for example under the American CLOUD Act. “As soon as American authorities demand the surrender of data, the cloud provider will already inform that it is the data of an authority.” The American authority would then contact the city of Zurich – and the city could bring the case to Switzerland and have it dealt with according to Swiss jurisdiction.
Only from the perspective of constitutional law does the expert opinion go too far in one respect, says Esther Zysset: “The expert opinion describes how an authority can authorise access to the cloud and thus de facto disregard official secrecy. This ultimately means that an executive decision has greater weight than the law passed by the legislature.” However, this is only problematic if the approvals are very sweeping instead of case-by-case, she concedes.
Focus on data sovereignty
As a partial aspect of digital sovereignty, data sovereignty formulates what must be done in connection with data so that a state can act sovereignly. The focus here is on three aspects:
- The delimitation of competences vis-à-vis other states (e.g. procedure in the event of criminal prosecution abroad)
- The sovereignty of a state with regard to its own data (e.g. the commercial use of certain data-related transactions)
- The ability to defend against external attacks (e.g. protection against espionage)
A newly awakened interest in the concept of sovereignty is also reflected in the multitude of interest groups that are pushing forward a respective reinterpretation of the concept and thus of the understanding of the state. In order to facilitate a constructive discourse, the Swiss Data Alliance has published a concept paper that summarises the anchor points of data sovereignty.
The Swiss Data Alliance is committed to a constructive data policy at the interface of research, business and civil society.