Fede­ral govern­ment intro­du­ces Micro­soft 365

On Febru­ary 15, 2023, the Fede­ral Coun­cil deci­ded to use Micro­soft 365 as the new Office ver­si­on in the fede­ral admi­ni­stra­ti­on (Media release). The decis­i­on was pre­ce­ded by a test pha­se with the nice tit­le pro­ject “Cloud Enab­ling Office Auto­ma­ti­on” (CEBA). The intro­duc­tion covers Word, Excel, Power­Point, OneN­ote, Out­look, Teams, Win­dows 10 and 11 Enter­pri­se, Share­Point Online, One­Dri­ve for Busi­ness, Stream, Sway, Visio, Power Apps for Micro­soft 365, Power Auto­ma­te for Micro­soft 365, Power Vir­tu­al Agents for Teams, Power BI and others.

The Fede­ral Chan­cel­lery has descri­bed the pro­ject in more detail in an infor­ma­ti­on paper updated to Febru­ary 14, 2023 (here) and ana­ly­zed the admis­si­bi­li­ty of the refe­rence in a paper “Legal Basis” of the same date (here). The result of this paper:

With the con­tracts con­clu­ded with Micro­soft, the fede­ral admi­ni­stra­ti­on has the Foun­da­ti­ons crea­ted, with com­pli­ance with the legal frame­work to allow the use of M365. For the use is a Crea­te deployment gui­de­lineso that data with a hig­her pro­tec­tion requi­re­ment is not stored in the cloud. A risk ana­ly­sis was pre­pared as part of the ISDS con­cept; the resi­du­al risks were iden­ti­fi­ed and are known.

The ana­ly­sis of the BK comes with refe­rence to the Requi­re­ment of the legal basis – a que­sti­on that else­whe­re could still give rise to dis­cus­sion – to the fol­lo­wing result:

The ope­ra­ti­on of the BA [office auto­ma­ti­on] does not invol­ve any inter­fe­rence with the rights of indi­vi­du­als. Under the­se cir­cum­stances, the ope­ra­ti­on of the BA can be based direct­ly on the trans­fer of the cor­re­spon­ding admi­ni­stra­ti­ve tasks. An expli­cit legal basis is the­r­e­fo­re not neces­sa­ry; this also applies to the out­sour­cing of the BA to the public cloud.

The legal basis the­r­e­fo­re remains Art. 57h RVOG (fede­ral bodies may main­tain an infor­ma­ti­on and docu­men­ta­ti­on system for the regi­stra­ti­on, manage­ment, index­ing and con­trol of cor­re­spon­dence and tran­sac­tions, which may also con­tain par­ti­cu­lar­ly sen­si­ti­ve data and per­so­na­li­ty profiles). -

Per­so­nal data requi­ring spe­cial pro­tec­tion may not be pro­ce­s­sed or stored in the public cloud accor­ding to the ana­ly­sis of the BK – in the pre­sent case; it remains on pre­mi­se. It remains to be seen whe­ther this is a vol­un­t­a­ry mea­su­re on the part of the fede­ral govern­ment or whe­ther it was deri­ved from – unsta­ted – requi­re­ments for the legal basis (at best from Art. 17 DPA; howe­ver, one would then have to ask whe­ther this level of the stan­dard effec­tively also applies to the pro­ce­s­sing moda­li­ty of out­sour­cing to a con­tract pro­ces­sor in a cloud – a que­sti­on that is also addres­sed in the Public Cloud Report of the Fede­ral Admi­ni­stra­ti­on has not been provided). 

The BK goes fur­ther to the CyRV requi­re­ments which requi­res, among other things, com­pli­ance with basic pro­tec­tion and a pro­tec­tion needs ana­ly­sis and, if neces­sa­ry – but not here, sin­ce the­re is no increa­sed need for pro­tec­tion – an ISDS con­cept (cf. Art. 14b et seq. CyRV; as long as this has not yet been repla­ced by the ISG or the Infor­ma­ti­on Secu­ri­ty Ordi­nan­ce ISV; expec­ted to come into force on April 1, 2023).

From the point of view of data pro­tec­tion law, Micro­soft is then a Order Pro­ce­s­sing Agree­ment to clo­se. With refe­rence to the pro­ce­s­sing of Meta­da­ta Micro­soft is a respon­si­ble par­ty, but ope­ra­tes within the frame­work of Art. 57h RVOG. In addi­ti­on, Micro­soft sub­mits regu­lar audit reports (third-par­ty audits), which the Fede­ral Admi­ni­stra­ti­on in turn audits.

With refe­rence to the Secret pro­tec­tion the ana­ly­sis reflects the now wide­ly accept­ed result:

Order pro­ce­s­sing by the pro­vi­der of a cloud solu­ti­on is also per­mis­si­ble for data cover­ed by offi­ci­al, busi­ness or pro­fes­sio­nal sec­re­cy or pro­fes­sio­nal con­fi­den­tia­li­ty, unless the sec­re­cy and con­fi­den­tia­li­ty obli­ga­ti­ons are more nar­row­ly defi­ned in spe­cial laws and out­sour­cing to third par­ties is excluded. […] 

With the revi­sed Artic­le 320 SCC, auxi­lia­ry per­sons are now also sub­ject to cri­mi­nal sanc­tions. Sin­ce exter­nal ICT ser­vice pro­vi­ders qua­li­fy as such, the dis­clo­sure of infor­ma­ti­on to com­mis­sio­ned data pro­ces­sors is permissible.

For the Dis­clo­sure abroad the report states:

The­re will be no data on systems out­side of Switz­er­land or the Euro­pean Uni­on stored, even a fail­ure of the direc­to­ry ser­vice (Azu­re AD) will not occur on a ser­ver out­side. This also applies to bil­ling and sup­port data (imple­men­ted until the end of 2022). Data will only be trans­fer­red to the USA anony­mously for a limi­t­ed peri­od of time for secu­ri­ty ana­ly­sis. In accordance with Microsoft’s EU Boun­da­ry Mea­su­res, Micro­soft will com­pi­le a list of the data that will be trans­fer­red at the begin­ning of next year. […] 

In addi­ti­on, if a cloud or cloud ser­vice is ope­ra­ted by a com­pa­ny with points of refe­rence to the U.S. – regard­less of its head­quar­ters, ser­ver loca­ti­ons, or whe­re the cloud solu­ti­on is sourced – the­re is a risk that this com­pa­ny could Cus­to­mer data based on the CLOUD Act to U.S. law enforce­ment aut­ho­ri­ties even if this vio­la­tes Swiss law (Art. 271, 320 StGB). Howe­ver, the pre­re­qui­si­te for this is that the­se data are rela­ted to a crime. […] 

In addi­ti­on to the US Cloud Act, the For­eign Intel­li­gence Sur­veil­lan­ce Act (FISA) is of signi­fi­can­ce. This regu­la­tes intel­li­gence spy­ing by U.S. intel­li­gence ser­vices. Howe­ver, it should not car­ry more weight in the risk assess­ment than the gene­ral risk of intel­li­gence spying.

Due to the shared respon­si­bi­li­ty it is up to the depart­ments and admi­ni­stra­ti­ve units to assess on a case-by-case basis the risk regar­ding data dis­clo­sure to the US based on their data. This legal basis ana­ly­sis gene­ral­ly points out the exi­sting risk. The deployment gui­de­line E 03135 defi­nes which data may and may not be pro­ce­s­sed in the cloud. […] 

The fede­ral admi­ni­stra­ti­on trans­mits the data to Micro­soft in the EU (Ire­land)a coun­try with an ade­qua­te level of data pro­tec­tion accor­ding to the list of count­ries, based on the stan­dard con­trac­tu­al clau­ses with the addi­ti­on that the CH-DSG is also valid. Accor­ding to the EU Boun­da­ry Mea­su­res, all data is held in EU/CH data centers. […]

Also to be obser­ved are – in the cen­tral admi­ni­stra­ti­on – pro­vi­si­ons of the VDTI and the IAMV.




Rela­ted articles