Switzerland: FDPIC advises Suva against outsourcing data processing to Microsoft cloud services
The Federal Data Protection and Information Commissioner ('FDPIC') published, on 13 June 2022, a statement, as issued on 13 May 2022, advising the Swiss National Accident Insurance Fund ('Suva') to reconsider its plan to outsource its personal data processing to a cloud service operated by the US company Microsoft Corporation, after Suva had voluntary submitted a risk assessment document to the FDPIC concerning plans to transition data processing operations from an on-premises solution, i.e. on its own infrastructure, to a data centre operated on Swiss territory by Microsoft.
In particular, the FDPIC highlighted that the outsourcing would result in cross-border data processing subject to the requirements of national data protection law, as also acknowledged by Suva. Furthermore, the FDPIC noted that the US is no longer considered to provide an adequate level of protection under Swiss law and that, for data transfers to such jurisdictions, it had published, in June 2021, a guide for checking the admissibility of data transfers, which provides that data exporters should assess whether the legal system of the third country is able to ensure four specified constitutional guarantees under Swiss law, including an assessment of the applicable legislation in the country of destination, the practices of the administrative and judicial authorities, and case law, and not including an assessment of subjective factors, such as likelihood of access. Moreover, the FDPIC outlined that Microsoft and its associated business unit around the world, including Switzerland, are subject to the US Clarifying Lawful Overseas Use of Data Act 2018 ('CLOUD Act'), obliging all company units to guarantee access to personal data by US authorities, even if the data is not stored in the US, without observing the procedures and guarantees required by Swiss law.
Notably, the FDPIC highlighted that Suva did not address the review process recommended by the FDPIC's aforementioned guide, and generally failed to address the legal admissibility of the cross-border data processing envisaged under the outsourcing project. Instead, Suva followed a risk-based approach, finding that the likelihood of US authority access to the outsourced personal data, over a five-year period, amounts to 2.52%, and thus concluding that the 'risk' of access was 'highly unlikely', basing this assessment, among other things, on the content of the personal data and the alleged lack of interest that intelligence authorities would have in such content. In response, the FDPIC outlined that neither the Federal Act on Data Protection 1992 ('FADP') nor the Revised FADP, which is due to enter into effect on 1 September 2023, provide for any justification to data transfers based on the alleged interests of intelligence authorities of the importer jurisdiction.
Furthermore, the FDPIC emphasised that neither the FADP, nor the Revised FADP, contain any indication of a risk-based approach to data transfers, and thus questioned the legality of such an approach. However, the FDPIC also stated that, given that there is no case law on this particular topic, it could not definitively reject such an approach. In any case, the FDPIC highlighted that even if a risk-based approach were to be legally affirmed, the legality of outsourcing and associated data transfers to the US would likely be doubtful. In this regard, the FDPIC rebutted Suva's assessment that the organisation-specific nature of the personal data it processes would reduce the likelihood of US intelligence access, and generally questioned the calculation method which led to its assessment that the likelihood of access was negligibly low.
With the above reasoning in mind, the FDPIC advised Suva to promptly reassess the risks associated with the disclosure of the personal data in question and to adapt its project decisions in light of factual and legal considerations. Furthermore, the FDPIC highlighted that although it sees no reasons to investigate the facts brought to its attention by Suva, it reserves the right to take supervisory action depending on the development of the factual and legal situation.
Additionally, the FDPIC published Suva's response, as sent to the FDPIC on 9 June 2022. In particular, Suva questioned several of the FDPIC's conclusions, including with respect to the scope of the US CLOUD Act and its incompatibility with Swiss constitutional guarantees, and the legal admissibility of the risk-based approach. Additionally, Suva acknowledged that it had not used the review procedure advocated by the FDPIC in June 2021 guide, highlighting its belief that such method is 'unsuitable' and that the method it had employed was 'more sophisticated and holistic', further noting that the Canton of Zurich had declared it to be the appropriate standard, and that the Dutch Government had employed it in its Data Protection Impact Assessment on Microsoft. Based on such comments, among others, Suva urged the FDPIC to reconsider its position.