BVGer – A‑661/2022: no pre­cau­tio­na­ry ban on the use of public clouds at the expen­se of the fede­ral government

In a sub­mis­si­on dated Febru­ary 9, 2022, a pri­va­te indi­vi­du­al had reque­sted the Fede­ral Admi­ni­stra­ti­ve Court to Fede­ral Chan­cel­lery (BK) was to for­bid, the work in con­nec­tion with the fede­ral government’s cloud stra­tegy (on this here) or con­ti­n­ue accor­ding to data Out­sour­ce to the public clouds of the five pro­vi­ders Micro­soft, Ora­cle, IBM, AWS and Ali­baba.

The SNB had dis­missed the appli­ca­ti­on for a pre­cau­tio­na­ry ban on March 31, 2022, becau­se it had con­side­red its­elf to lack juris­dic­tion. On appeal, the Fede­ral Supre­me Court had held that the FAC had com­mit­ted a for­mal deni­al of justi­ce becau­se it had wron­gly left open the que­sti­on of juris­dic­tion to issue pre­cau­tio­na­ry mea­su­res and had wron­gly fai­led to exami­ne the sub­stance of the appli­ca­ti­on for pre­cau­tio­na­ry mea­su­res (Decis­i­on 1C_216/2022 of July 28, 2022). It the­r­e­fo­re refer­red the mat­ter back to the FAC.

The BVGer rejects the Request for pre­cau­tio­na­ry mea­su­res in an inte­rim order (Busi­ness no. A‑661/2022) now again from, this time with a dis­cus­sion of the con­tent (see also the Media release of the BK):

• Inso­far as the appli­ca­ti­on is direc­ted against pro­ce­s­sing not by the BK but by other admi­ni­stra­ti­ve units, it must be rejec­ted becau­se the BK – as the addres­see – would not be respon­si­ble for it;
• The com­plainant has the right to appeal with regard to his own per­so­nal data. He has a legi­ti­ma­te inte­restbecau­se any data pro­ce­s­sing inter­fe­res with the “fun­da­men­tal right to infor­ma­tio­nal self-deter­mi­na­ti­on” accor­ding to BV 13 II. The per­son affec­ted by a data pro­ce­s­sing has “in prin­ci­ple a cur­rent and prac­ti­cal inte­rest in war­ding off unju­sti­fi­ed encroach­ments”. Nor can the legi­ti­ma­cy to file an appeal be denied becau­se the com­plainant would not be more inten­si­ve­ly affec­ted by a shift of his data to a public cloud than other per­sons, becau­se other­wi­se, pre­cis­e­ly whe­re data pro­ce­s­sing affects a lar­ge part of the popu­la­ti­on, “the claims under data pro­tec­tion law would be emp­tied of their con­tent for for­mal rea­sons” – a com­pre­hen­si­ble but far-rea­ching statement;
• on the merits, the appli­ca­ti­on must be rejec­ted becau­se the BK – and only the­se are at sta­ke – today does not pro­cess any per­so­nal data of the com­plainant or move it to a public cloudand it is also “not yet appa­rent that, as part of the pro­ject to intro­du­ce cer­tain Micro­soft 365 appli­ca­ti­ons in the cloud, which is curr­ent­ly still in the con­cept pha­se, older data will also be filed elec­tro­ni­cal­ly and/or stored in a cloud”. Accor­din­gly, both a rea­son for the order and a par­ti­cu­lar urgen­cy are missing.

Whe­ther the pri­va­te indi­vi­du­al will now also take action against other admi­ni­stra­ti­ve units if they want to obtain ser­vices from the public clouds – which they can now do after the com­plaint has been dis­missed – remains to be seen.