Introductory considerations
It is no secret that cloud services are the topic of the day, nor that this affects all industries – including regulated industries such as banks, insurers and players in the healthcare sector, as well as authorities at federal, cantonal and municipal level. Large customers in particular are also increasingly using services from foreign providers, such as Amazon Web Services (AWS), Google or Microsoft (and rather in the SaaS area also from other providers and of course still from Swiss providers). Outsourcing is associated with a certain restriction of one’s own control, but often also with an increase in data security.
Depending on the provider, service and data location, this is a more or less strong Exposure to foreign jurisdictions and authorities. In the past, the prevailing opinion – or more or less the only one – was that outsourcing to cloud providers (at that time, rather ASP providers) was inadmissible if this could involve the disclosure of secrecy-protected data abroad. This represented a kind of “over the border, out of control” principle, on the assumption that threats of punishment for professional secrets would legally or at least factually come to nothing if foreign authorities could access secrets.
The world has been a different place since then. Cloud solutions have become the standard in many industries. It is now generally accepted that there is no prohibition on outsourcing abroad or to a foreign cloud provider.
In addition, however, there are regulatory requirements with which banks and insurers, among others, must comply, for example the agreement of FINMA’s audit rights or the Security incident reporting.
Below, we show that using cloud with production workloads is also possible for regulated enterprises.
Data protection and secrecy: convergence in risk assessment
Data protection and secrecy laws are increasingly converging. Both areas permit disclosure of data along value chains within Switzerland, and both provide for stricter rules and, as a result, risk assessment and control when data is transferred abroad. At the legal level, the opinion has now prevailed that neither data protection law nor the law on the protection of secrets fundamentally oppose outsourcing, even if a provider abroad may have access to plaintext data.
This was advocated in particular by the Swiss Bankers Association (SBA) on the basis of two expert opinions, which were incorporated into a corresponding Guide and David Rosenthal in his comprehensive Article in Jusletter from August 10, 2020. The considerations were similar in each case: there is no prohibition on outsourcing abroad, disclosure to the service provider is not prohibited as such either, and according to the current case law of the Federal Supreme Court, only actual access by foreign authorities in the sense of a crime of success would be decisive.
Appropriate risk control therefore remains crucial. The Data protection law for example, requires, in addition to the completion of the Standard Contractual Clauses An assessment of the risk that an authority in a third country without an adequate level of protection based on a legislation or practice that is inadequate in terms of the rule of law accesses transmitted personal data.
Underwriting is also the key to foreign disclosure at the Secrecy law. If it is certain, or if a company assumes on the basis of risk considerations, that a secret is protected and would be violated if a foreign authority were to gain access to the secret, the question arises as to whether this access would be caused by an intentional or negligent conduct has been made. In any case, this is not the case if the person holding the secret – e.g. the bank, but also the lawyer – is has taken those measures that are ex ante necessary and appropriate to reduce the risk of such access below the threshold of what is socially acceptable.
This threshold, like the protection of secrets as such, is determined by the expectations of the owners of the secrets, which are to be substantiated in a manner typical for the industry. Here, the assumption suggests itself that absolute protection is expected only in rare exceptions. It is true that a clear line cannot be drawn because the determination of risks is neither ex ante nor ex post an exact science. A bank, securities firm, or other secrecy provider must and may undertake this risk assessment without zero risk being a goal. Conceptually, this risk assessment is no different from that under data protection law, except that it has a somewhat different subject matter and therefore turns out to be more in-depth.
The data protection and confidentiality considerations therefore converge in risk assessments, mutatis mutandis. Since zero risk does not exist, the result cannot be otherwise. Advanced cloud providers provide “on-board resources” here to protect customer data, e.g., state-of-the-art encryption.
Agreements with cloud providers
In addition to the question of acceptable residual risk, the main issue is how regulated companies can regulatory requirements can implement. The contracts with the cloud providers are an essential element in this. In general, however, it can be observed that the contribution that cloud contracts can make is overestimated, which is perhaps related to a Bias of the legal profession towards contracts. However, those who seek salvation too much in the wording of the contract overestimate both the weaknesses and the effect of the contracts and tend to underestimate other risks, for example their own responsibility in the implementation of technical security measures such as encryption, the redundancy of data storage or even a clear cloud strategy. This is because risks arise not only from a contractual shortfall, but also, for example, from an incomplete delineation of responsibilities (in the sense of “shared responsibility”), an insufficient mapping of customer-side responsibility to internal processes or other internal obligations such as, if applicable, the storage of customer data parallel to the foreign location also in Switzerland due to the corresponding requirements of FINMA. Particularly in the case of banks and securities firms, corresponding obligations arise from special regulations such as Annex 3 of the FINMA Circular on Operational Risks.
This is to emphasize the importance of the Contractual arrangements of the providers naturally not be diminished. Last but not least, the requirements for provider contracts, at least for material outsourcing, are described in more detail by FINMA’s Outsourcing Circular (and the aforementioned SBA Guidance Note also contains guidance). The Outsourcing Circular serves as a corresponding guideline for providers. Here, it can be observed that great progress has been made in recent years, months and weeks. All of the major cloud providers offer their own Contracts or contract addenda with which they cover the minimum requirements of the FINMA CircularThe new rules will have a positive impact on the audit process, particularly with regard to the audit rights of customers, their internal and external auditors, and FINMA. In the case of all providers, for example, FINMA now has a contractual right to conduct audits directly at the provider’s premises without the client having to intervene. The aspect of Business Continuity in connection with termination and discontinuation options of the providers and rights of service recipients within the customer group was expanded. In general, it can be observed that the cloud providers take feedback from customers and also FINMA seriously and implement it in principle. This can be easily traced in the history of the contractual agreements. The FINMA has already accepted the contracts of the three major providers. Customers therefore do not have to fear any significant headwind from FINMA with regard to the corresponding contractual arrangements.
Contract negotiations
It often remains right or necessary, Discuss and renegotiate contracts, for various considerations, including internal requirements, the company’s own risk appetite, industry practices, commercial weights, etc. However, not every defect in a contract determines the permissibility of outsourcing. Certain ambiguities can be accepted, for example, if the wording is not clear but the meaning is. Depending on the situation, gaps can also be closed by customers. One example is the Swiss data location. The major providers operate data centers in Switzerland or have announced Swiss regions, but regulatory requirements in this regard can also be solved by storing data abroad but replicating it in Switzerland on the customer side.
Common points of negotiation also concern Clarifications and of course Commercial points. The liability – to pick an example – is not only of a commercial nature in the approach, after the Federal Supreme Court in the decision BGE 145 II 229 also referred to the liability regulation when assessing the appropriateness of outsourcing by a law firm. However, it did not make the statement that liability as such was decisive. Rather, what was defective in the case under review was a contract that was inadequate in several respects and apparently as a whole. In the context of professional secrecy, liability can only have the meaning of an incentive to conduct oneself in conformity with the contract. It cannot, however, undo an improper disclosure; in this case, it merely leads to a shift in assets. This is, of course, important, but a matter not of professional secrecy but of solvency. Accordingly, liability can only have regulatory significance if, without it, there is a lack of sufficient incentive to ensure the contractually agreed security, confidentiality and purpose limitation of the secret. At least for larger providers, however, this incentive is less a question of liability than of reputation. If, for example, FINMA were to conclude that a cloud provider was unreliable, the Swiss market would be difficult for this cloud provider to penetrate.
This evolution is not complete, and future versions of the contracts will make certain requirements (“controls”) even more robust, but it would be a mistake to place the weight of risk assessment too unilaterally on the wording of the contracts. As contracts become more mature, the focus from a customer perspective continues to shift to the Internal control of the supplier relationship and the Communication with the outside worldalso, for example, in general terms and conditions – both of which can already be observed and will increase.