FDPIC: Doubts about the risk-based approach

On June 13, 2022, the FDPIC published an “Opi­ni­on on Suva’s data pro­tec­tion risk assess­ment on the Digi­tal Work­s­pace ‘M365′ pro­ject” dated May 13, 2022. The docu­ment is here tog­e­ther with a sum­ma­ry and Suva’s respon­se to it (see below).

Initi­al situation

Accord­ing to the state­ment, Suva pro­vi­ded the FDPIC with docu­men­ta­ti­on on the pro­ject, which invol­ved out­sour­cing cer­tain Suva per­so­nal data to Micro­soft, with data loca­ted in Switz­er­land and based on Microsoft’s con­tract with the Swiss Infor­ma­tics Con­fe­rence SIK.

Appar­ent­ly, it was undis­puted that the out­sour­cing poten­ti­al­ly lead to access by U.S. aut­ho­ri­ties could lead:

11 Suva assu­mes that the out­sour­cing of part of the pro­ces­sing of per­so­nal data to a cloud ope­ra­ted by the US com­pa­ny Micro­soft on Swiss ter­ri­to­ry rai­ses the que­sti­on of pos­si­ble access by US aut­ho­ri­ties to the out­sour­ced data.

12 Suva thus assu­mes muta­tis mutan­dis that the deci­ded out­sour­cing could be accom­pa­nied by a data export to the USA.

In the docu­men­ta­ti­on sub­mit­ted to the FDPIC, Suva had clas­si­fied the risk of access as very low:

As part of its risk-based approach, Suva notes that the pos­si­bi­li­ty of a judi­cial review, i.e., based on a requ­est for mutu­al legal assi­stance or the U.S. Cloud Act-sup­por­ted, regu­la­to­ry access on the out­sour­ced per­so­nal data for the peri­od under con­si­de­ra­ti­on of 5 years “amount to 2.52 % and thus high­ly unli­kely”. At this value, Suva says, “with a pro­ba­bi­li­ty of 90 %, sta­tis­ti­cal­ly spea­king (assu­ming no chan­ge in pro­ba­bi­li­ty), suc­cess­ful law­ful access occurs at least once every 903 years.” Even inclu­ding non-jus­ti­cia­ble access by U.S. intel­li­gence agen­ci­es, Suva esti­ma­tes the over­all pro­ba­bi­li­ty it calls “risk” to be “high­ly unli­kely,” alt­hough it ack­now­led­ges that “some uncer­tain­ty remains” To justi­fy this, it cites, in par­ti­cu­lar, that the data out­sour­ced to the cloud is hard­ly inclu­ded any con­tent that would typi­cal­ly be the sub­ject of intel­li­gence search mis­si­ons from that coun­try.

Accord­ing to the state­ment of the FDPIC, Suva has reli­ed on the wide­ly used Risk assess­ment model by David Rosen­thal supported.

Opi­ni­on of the FDPIC

In its opi­ni­on, the FDPIC sta­tes, among other things, that Suva is not con­vin­ced of the admis­si­bi­li­ty of the plan­ned outsourcing.

… accord­ing to a risk-based approach asses­sed, which led them to con­clu­de that the­se No high risks for their insu­red per­sons, the pati­ents of their cli­nics as well as their employees and other per­sons con­cer­ned. On the basis of this assess­ment result, the­re would the­re­fo­re have been no obli­ga­ti­on to make a sub­mis­si­on to the FDPIC even if the new law had applied.

This “risk-based” approach is under fire, espe­cial­ly from Austria. Howe­ver, he can make for hims­elf the Gui­de­li­nes of the EDSA on Schrems II mea­su­res. in which the EDSA had clear­ly sta­ted that a so-cal­led risk-based approach applied:

… you may deci­de to pro­ce­ed with the trans­fer without being requi­red to imple­ment sup­ple­men­ta­ry mea­su­res, if you con­si­der that you have no rea­son to belie­ve that rele­vant and pro­ble­ma­tic legis­la­ti­on will be app­lied, in prac­ti­ce, to your trans­fer­red data and/or importer.

Also the cur­rent stan­dard con­trac­tu­al clau­ses con­tain simi­lar wor­d­ing in clau­se 14:

(a) The par­ties war­rant, have no rea­son to belie­ve that the law and prac­ti­ce app­li­ca­ble to the pro­ces­sing of per­so­nal data by the data importer in the third coun­try of desti­na­ti­on, inclu­ding requi­re­ments to dis­c­lo­se per­so­nal data or mea­su­res allo­wing public aut­ho­ri­ties access to such data, pre­vent the data importer from ful­fil­ling its obli­ga­ti­ons under the­se clau­ses. …

For its part, the FDPIC published in June 2021 a “Gui­d­ance for the exami­na­ti­on of the admis­si­bi­li­ty of data trans­fers with a for­eign con­nec­tion (pur­suant to Art. 6 para. 2 lit. a FADP)”. published (with an important but never repor­ted adjust­ment; see p. 7 of Suva’s state­ment). In it, he did not clear­ly com­mit to this risk-based approach nor to its oppo­si­te – the zero-risk approach.

The FDPIC now refers to this gui­d­ance from June 2021 in its opi­ni­on on Suva’s pro­ject. First of all, it assu­mes the fol­lo­wing legal bases in the USA:

In casu, the U.S. group Micro­soft and the asso­cia­ted cor­po­ra­te units throughout the world, and thus also in Switz­er­land, are sub­ject to the US Cloud Act is sub­or­di­na­te to the US Data Pro­tec­tion Act. This obli­ges all com­pa­ny units to gua­ran­tee access to per­so­nal data by US aut­ho­ri­ties even if the data is not stored in the USA. The Cloud Act pro­ce­du­re takes place without obser­ving the pro­ce­du­res and gua­ran­tees requi­red by the Swiss legal system. In addi­ti­on, the U.S. is moving its secu­ri­ty agen­ci­es and intel­li­gence agen­ci­es legal and fac­tu­al in a posi­ti­on to encou­ra­ge parent com­pa­nies based in U.S. ter­ri­to­ry to give their offices abroad Orders for the pro­cu­re­ment of per­so­nal data of for­eign citizens.

The rele­vant com­ments of the FDPIC can be found below. First of all, the law No evi­dence of a risk-based approach (which is not the case, see below):

The requi­re­ments for data trans­fers to coun­tries without ade­qua­te data pro­tec­tion are listed in the law. Howe­ver, the­re are no indi­ca­ti­ons of justi­fi­ca­ti­on or inter­pre­ti­ve argu­ments that could be based on a dif­fe­ren­tia­ti­on of the intel­li­gence inte­rests of indi­vi­du­al exporting sta­tes and com­pa­ny- or insti­tu­ti­on-spe­ci­fic con­t­ents of the trans­fer­red data. Nor does the wor­d­ing of the law con­tain any indi­ca­ti­on of a risk-based approach to ensu­ring ade­qua­te pro­tec­tion. In the opi­ni­on of the FDPIC, it can­not be dedu­ced from this that risk-based argu­ments in the sen­se of a sup­ple­ment to the review pro­ce­du­re recom­men­ded by the FDPIC are necessa­ri­ly exclu­ded by law. Howe­ver, sup­ple­men­ta­ry argu­ments must not lead to a wea­ke­n­ing of the gua­ran­tees gua­ran­te­ed by fun­da­men­tal rights in the offi­cial context.

27 Against this back­ground, it seems at least que­stion­ab­le to the Com­mis­sio­ner whe­ther the risk-based approach is legal­ly per­mis­si­ble and may be invo­ked to justi­fy the data out­sour­cing under dis­cus­sion here.

Sub­se­quent­ly, the FDPIC argues that “powers” with insuf­fi­ci­ent pro­tec “basi­cal­ly accu­mu­la­te all kinds of infor­ma­ti­on”:

31 … It is well known that the secu­ri­ty aut­ho­ri­ties and intel­li­gence ser­vices of such sta­tes are in the habit of con­duc­ting blan­ket sear­ches of their tar­gets. They have legal powers and actu­al pos­si­bi­li­ties to make the parent com­pa­nies loca­ted on their ter­ri­to­ry search cloud data of all busi­ness custo­mers for indi­ca­ti­ons of tar­get per­sons, which enab­le the ser­vices to obtain the most com­pre­hen­si­ve, com­ple­te and inti­ma­te pic­tu­re of their tar­get per­sons. In other words, it must be expec­ted that the intel­li­gence ser­vices of powers that do not gua­ran­tee third-coun­try natio­nals ade­qua­te data pro­tec­tion will in princip­le accu­mu­la­te all kinds of infor­ma­ti­on, without this being appa­rent to the per­sons con­cer­ned or without them being gran­ted legal pro­tec­tion against this com­pa­ra­ble to Swiss law. Fur­ther­mo­re, it must be expec­ted that the intel­li­gence ser­vices of the­se sta­tes attach litt­le import­ance in par­ti­cu­lar to the princi­ples of pur­po­se limi­ta­ti­on and pro­por­tio­na­li­ty and regu­lar­ly obtain pri­va­te and inti­ma­te infor­ma­ti­on such as health data from their tar­get per­sons. Against this back­ground, Suva’s assump­ti­on that the out­sour­ced data hard­ly inclu­des any con­tent that could typi­cal­ly be the sub­ject of intel­li­gence search orders would meet with reser­va­tions even if the admis­si­bi­li­ty of its risk-based approach were affirmed.

In addi­ti­on, such powers on the com­mu­ni­ty as a who­le and not just on indi­vi­du­al cate­go­ries of data:

32 In the Commissioner’s view, federal bodies that are part of a nar­rower or broa­der cir­cle of the federal public admi­ni­stra­ti­on should take into account, befo­re out­sour­cing per­so­nal data, that intel­li­gence data pro­cu­re­ment by for­eign sta­tes without ade­qua­te data pro­tec­tion legis­la­ti­on usual­ly tar­gets for­eign com­mu­nities as a who­le. The aut­ho­ri­ties of such sta­tes may exert high pres­su­re on the parent groups loca­ted on their ter­ri­to­ry to achie­ve their pro­cu­re­ment goals. The lat­ter, in turn, may thus be promp­ted to encou­ra­ge their sub­si­dia­ries and other offices in Euro­pe and Switz­er­land to exe­cu­te search requests in the per­so­nal data files of several or even all of their busi­ness customers.

Thus, it seems que­stion­ab­le whe­ther the orga­niz­a­ti­on-spe­ci­fic con­tent of the per­so­nal data that an indi­vi­du­al federal office or an indi­vi­du­al federal enter­pri­se such as Suva has pro­ces­sed in a Micro­soft cloud can con­sti­tu­te a sui­ta­ble cri­ter­ion in the con­text of its risk-based approach to assess the pro­ba­bi­li­ty of data access by for­eign aut­ho­ri­ties. Howe­ver, even if one were to affirm the sui­ta­bi­li­ty of the cri­ter­ion, the low assess­ment of this pro­ba­bi­li­ty based on it by Suva, which as a federal body belongs to the exten­ded cir­cle of the com­mon­wealth of the Swiss Con­fe­de­ra­ti­on, would pro­ve to be insuf­fi­ci­ent­ly justi­fied to the extent it has undertaken.

The­re­fo­re and in gene­ral the Assess­ment of the pro­ba­bi­li­ty of access based on the men­tio­ned form que­stion­ab­le:

Over­all, the admis­si­bi­li­ty of the out­sour­cing and the asso­cia­ted pos­si­bi­li­ty of data dis­clo­sure to the USA as a coun­try without an ade­qua­te level of data pro­tec­tion would have to pro­ve pro­ble­ma­tic even if the legal admis­si­bi­li­ty of Suva’s risk-based approach were affir­med. On the one hand, it car­ri­ed out this assess­ment using organ-spe­ci­fic cri­te­ria, the appro­pria­teness of which appears doubt­ful. In addi­ti­on, Suva redu­ced the pro­ba­bi­li­ty of access by US aut­ho­ri­ties in its esti­ma­te to a negli­gi­ble value, the deri­va­ti­on of which remains ina­de­qua­te­ly sub­stan­tia­ted in fac­tu­al terms in the view of the FDPIC.

37 Suva has not only shown a low pro­ba­bi­li­ty of access by a third-par­ty aut­ho­ri­ty, but has also quan­ti­fied it on the basis of the cal­cu­la­ti­on method used with pro­ba­bi­li­ties extra­po­la­ted to hund­redths of a per­cent or to hund­reds of years. This claim to value accu­ra­cy rai­ses doubts, as it is in obvious con­trast to the broad dis­cre­tio­na­ry band­widths that the cal­cu­la­ti­on model grants tho­se respon­si­ble for pro­ces­sing the assump­ti­ons from which the quan­ti­fied risk is derived.

If Suva sticks to the risk-based approach – which the FDPIC does not exclu­de – a Reas­sess­ment requi­red:

40 While main­tai­ning its risk-based approach, the FDPIC advi­ses Suva to prompt­ly reas­sess the risks asso­cia­ted with the out­sour­cing of part of its per­so­nal data and to adapt its pro­ject deci­si­ons to the know­ledge avail­ab­le to it on the rele­vant fac­tu­al and legal situa­ti­on. In the opi­ni­on of the FDPIC, this inclu­des taking into account the trend-set­ting deci­si­ons wit­hin the frame­work of the federal government’s cloud stra­te­gy as well as the afo­re­men­tio­ned nego­tia­ti­ons on a suc­ces­sor regu­la­ti­on to the ter­mi­na­ted Pri­va­cy Shield framework.

In sum­ma­ry, the FDPIC states,

The FDPIC sees no rea­son at pre­sent to inve­sti­ga­te the facts brought to its atten­ti­on ex offi­cio.. Howe­ver, depen­ding on the deve­lo­p­ment of the fac­tu­al situa­ti­on and the legal situa­ti­on, it reser­ves the right to take super­vi­so­ry action at a later date.

Ans­wer from Suva

Tog­e­ther with its opi­ni­on, the FDPIC also recei­ved Suva’s respon­se of June 9, 2022 published. Suva does not share the opi­ni­on of the FDPIC. Its main objec­tions can be sum­ma­ri­zed as follows:

  • Suva does not con­clu­de the con­tract for cloud use with the US com­pa­ny, Micro­soft Corp, but with the Irish sub­si­dia­ry, Micro­soft Ope­ra­ti­ons. If the­re is a dis­clo­sure from this to the USA, the stan­dard con­trac­tu­al clau­ses app­ly bet­ween the Micro­soft companies.
  • The CLOUD Act per­mits data access only wit­hin a frame­work that is essen­ti­al­ly the same as the one rati­fied by Switz­er­land. Cybercrime Con­ven­ti­on (CCC). Accord­in­gly, data access is only pos­si­ble if a com­pa­ny sub­ject to U.S. juris­dic­tion has effec­ti­ve access to the data in que­sti­on (“pos­ses­si­on, custo­dy or con­trol”). This is appar­ent­ly not the case with Microsoft’s US com­pa­ny with regard to the data in question:

    … we make sure that Micro­soft can and must take the posi­ti­on that their US parent (and only this one is sub­ject to the SCA) is has neit­her “day-to-day con­trol” nor “legal con­trol” over our data in plain text (and cer­tain­ly not “Pos­ses­si­on” or “Custo­dy”, becau­se the data is only stored in Switz­er­land and by ano­t­her com­pa­ny). In this way, even under US law, acces­ses can be rejected.

  • The “Rosen­thal method” is more sophi­sti­ca­ted and holi­stic than the FDPIC’s gui­d­ance, is com­pa­ti­ble with it, and a bet­ter method is not known.
  • The risk-based approach is inherent in Swiss data pro­tec­tion law, and it also app­lies to for­eign disclosures.
  • If Switz­er­land were to aban­don the risk-based approach here, inter­na­tio­nal data trans­fers to sta­tes such as the USA would have to be gene­ral­ly prohibited.
  • Schrems II allo­ws for the risk-based approach.
  • The rele­vant princi­ples of US law do not app­ly in casu.

Notes

The first que­sti­on is what the FDPIC says in its opi­ni­on. One may read the state­ments as follows:

  • Whe­ther the risk-based approach is admis­si­ble is not some­thing the FDPIC can or wants to judge con­clu­si­ve­ly, but in any case he shies away from con­fir­ming the risk-based approach.
  • It is doubt­ful whe­ther the risks were cor­rect­ly asses­sed with the form used – the pro­ba­bi­li­ty values are not con­vin­cing becau­se their deri­va­ti­on was not suf­fi­ci­ent­ly clear, and in any case the “claim to value accu­ra­cy” is doubtful.
  • Suva should car­ry out a reas­sess­ment, he said. By then, a new Pri­va­cy Shield may be fore­see­ab­le, and one should also wait until the Results of the test ope­ra­ti­on of the Micro­soft Cloud by the federal government present.

In other words, the FDPIC has expres­sed doubts in various respects, has but not spe­ci­fied in terms of con­tent.

The­re are a few points to note about this:

  • Schrems II is not bin­ding for Switz­er­land. Nor are gui­de­li­nes issued by the EDSA. Even wit­hin the EEA, opi­ni­ons of aut­ho­ri­ties are not bin­ding. Switz­er­land has its own data pro­tec­tion law, even if it right­ly does not clo­se its eyes to the GDPR. Adop­ting EU law can be right and sen­si­ble, but only wit­hin the frame­work of Swiss law.
  • The wor­d­ing of Art. 6 FADP shows pre­cise­ly that data sub­jects in the case of trans­fers abroad are from serious Per­so­na­li­ty vio­la­ti­ons pro­tec­ted are to be made. The­re is no clea­rer way to for­mu­la­te a risk-based approach. Not every trans­fer to a coun­try with wea­ker legal pro­tec­tion leads to a serious vio­la­ti­on of pri­va­cy. The DPA does not make data sub­jects a pawn in poli­ti­cal disputes.
  • That cer­tain fun­da­men­tals of U.S. law are defi­ci­ent from a Swiss per­spec­ti­ve is true. As long as they do not app­ly in a spe­ci­fic caseHowe­ver, the­se bases do not have any con­cre­te mea­ning and can­not lead to a vio­la­ti­on of per­so­na­li­ty, cer­tain­ly not a serious one.
  • The FDPIC has omit­ted this exami­na­ti­on – whe­ther the defi­ci­ent U.S. law app­lies – arguing that a risk-based approach is lacking. Thus, two Que­sti­ons mixed: Under what con­di­ti­ons and to what are the­se laws app­li­ca­ble at all, and – if they are – with what pro­ba­bi­li­ty does an aut­ho­ri­ty make use of them. Only the second que­sti­on deser­ves the name “risk-based approach”. The first que­sti­on, howe­ver, should not be ignored.
  • The Form by David Rosen­thal uses pro­ba­bi­li­ty values not becau­se the­re is a demand for accu­ra­cy, but for self-reflec­tion in an other­wi­se emo­tio­nal risk assess­ment (this is shown by the state­ment of the FDPIC) and as an instru­ment of risk com­mu­ni­ca­ti­on. Of cour­se, “gar­ba­ge in, gar­ba­ge out” app­lies, but in what assess­ment does it not?
  • Other agen­ci­es have accep­ted the risk-based approach, not just the Zurich Government Coun­cil, but also a known pro­se­cu­tor for pro­fes­sio­nal secrets (a data law issue, but not a data pro­tec­tion law issue, but pro­fes­sio­nal secrets pro­tect the will to secrecy com­pre­hen­si­ve­ly – if no secret stands in the way of a data dis­clo­sure, then neit­her does data protection).

All in all, the impres­si­on is that the FDPIC is pro­tects its own posi­ti­on on all sides. In view of the still uncon­fir­med ade­quacy of the Swiss level of pro­tec­tion, a flank is pro­bab­ly to be avoided here – this is not incom­pre­hen­si­ble, becau­se if Swiss law has a dif­fe­rent stan­dard pre­cise­ly on the issue of for­eign trans­fers, Switz­er­land risks beco­m­ing a hub of unre­gu­la­ted data flows from the EU’s per­spec­ti­ve. At the same time, the FDPIC is awa­re that a con­si­stent zero-risk approach to the Col­lap­se of the Swiss eco­no­my would lead to. Not only would the­re be no more team calls – the­re would be no more glo­bal cor­po­ra­ti­ons and no more inter­na­tio­nal can­cer rese­arch. The­re is no rea­li­stic alter­na­ti­ve for inter­na­tio­nal data trans­fers. A zero-risk approach takes the enti­re eco­no­my hosta­ge to poli­ti­cal wrang­ling, arguing that under cer­tain con­di­ti­ons – which you don’t exami­ne! – can access cer­tain cate­go­ries of data too extensively.

Over­all, while the­re remains gra­ti­tu­de that the­re is a good exchan­ge bet­ween the super­vi­so­ry aut­ho­ri­ty and the law-app­ly­ing aut­ho­ri­ties and com­pa­nies in Switz­er­land, the­re is also a cer­tain per­ple­xi­ty and the impres­si­on of a perhaps some­what des­pon­dent atti­tu­de towards the EU. Accord­ing to Art. 28 and Art. 31 FADP, the FDPIC has the task of assi­sting pri­va­te indi­vi­du­als and bodies of the Con­fe­de­ra­ti­on and the can­tons in mat­ters of data pro­tec­tion, as well as accord­ing to Art. 58 revDSG. This requi­res con­tri­bu­ting to legal cer­tain­ty in an area of law that is deve­lo­ping so rapid­ly, is so com­plex, and is so far-reaching.