On February 15, 2023, the Federal Council decided to use Microsoft 365 as the new Office version in the federal administration (Media release). The decision was preceded by a test phase with the nice title project “Cloud Enabling Office Automation” (CEBA). The introduction covers Word, Excel, PowerPoint, OneNote, Outlook, Teams, Windows 10 and 11 Enterprise, SharePoint Online, OneDrive for Business, Stream, Sway, Visio, Power Apps for Microsoft 365, Power Automate for Microsoft 365, Power Virtual Agents for Teams, Power BI and others.
The Federal Chancellery has described the project in more detail in an information paper updated to February 14, 2023 (here) and analyzed the admissibility of the reference in a paper “Legal Basis” of the same date (here). The result of this paper:
With the contracts concluded with Microsoft, the federal administration has the Foundations created, with compliance with the legal framework to allow the use of M365. For the use is a Create deployment guidelineso that data with a higher protection requirement is not stored in the cloud. A risk analysis was prepared as part of the ISDS concept; the residual risks were identified and are known.
The analysis of the BK comes with reference to the Requirement of the legal basis – a question that elsewhere could still give rise to discussion – to the following result:
The operation of the BA [office automation] does not involve any interference with the rights of individuals. Under these circumstances, the operation of the BA can be based directly on the transfer of the corresponding administrative tasks. An explicit legal basis is therefore not necessary; this also applies to the outsourcing of the BA to the public cloud.
The legal basis therefore remains Art. 57h RVOG (federal bodies may maintain an information and documentation system for the registration, management, indexing and control of correspondence and transactions, which may also contain particularly sensitive data and personality profiles). -
Personal data requiring special protection may not be processed or stored in the public cloud according to the analysis of the BK – in the present case; it remains on premise. It remains to be seen whether this is a voluntary measure on the part of the federal government or whether it was derived from – unstated – requirements for the legal basis (at best from Art. 17 DPA; however, one would then have to ask whether this level of the standard effectively also applies to the processing modality of outsourcing to a contract processor in a cloud – a question that is also addressed in the Public Cloud Report of the Federal Administration has not been provided).
The BK goes further to the CyRV requirements which requires, among other things, compliance with basic protection and a protection needs analysis and, if necessary – but not here, since there is no increased need for protection – an ISDS concept (cf. Art. 14b et seq. CyRV; as long as this has not yet been replaced by the ISG or the Information Security Ordinance ISV; expected to come into force on April 1, 2023).
From the point of view of data protection law, Microsoft is then a Order Processing Agreement to close. With reference to the processing of Metadata Microsoft is a responsible party, but operates within the framework of Art. 57h RVOG. In addition, Microsoft submits regular audit reports (third-party audits), which the Federal Administration in turn audits.
With reference to the Secret protection the analysis reflects the now widely accepted result:
Order processing by the provider of a cloud solution is also permissible for data covered by official, business or professional secrecy or professional confidentiality, unless the secrecy and confidentiality obligations are more narrowly defined in special laws and outsourcing to third parties is excluded. […]
With the revised Article 320 SCC, auxiliary persons are now also subject to criminal sanctions. Since external ICT service providers qualify as such, the disclosure of information to commissioned data processors is permissible.
For the Disclosure abroad the report states:
There will be no data on systems outside of Switzerland or the European Union stored, even a failure of the directory service (Azure AD) will not occur on a server outside. This also applies to billing and support data (implemented until the end of 2022). Data will only be transferred to the USA anonymously for a limited period of time for security analysis. In accordance with Microsoft’s EU Boundary Measures, Microsoft will compile a list of the data that will be transferred at the beginning of next year. […]
In addition, if a cloud or cloud service is operated by a company with points of reference to the U.S. – regardless of its headquarters, server locations, or where the cloud solution is sourced – there is a risk that this company could Customer data based on the CLOUD Act to U.S. law enforcement authorities even if this violates Swiss law (Art. 271, 320 StGB). However, the prerequisite for this is that these data are related to a crime. […]
In addition to the US Cloud Act, the Foreign Intelligence Surveillance Act (FISA) is of significance. This regulates intelligence spying by U.S. intelligence services. However, it should not carry more weight in the risk assessment than the general risk of intelligence spying.
Due to the shared responsibility it is up to the departments and administrative units to assess on a case-by-case basis the risk regarding data disclosure to the US based on their data. This legal basis analysis generally points out the existing risk. The deployment guideline E 03135 defines which data may and may not be processed in the cloud. […]
The federal administration transmits the data to Microsoft in the EU (Ireland)a country with an adequate level of data protection according to the list of countries, based on the standard contractual clauses with the addition that the CH-DSG is also valid. According to the EU Boundary Measures, all data is held in EU/CH data centers. […]