FDPIC: Doubts about the risk-based approach

On June 13, 2022, the FDPIC published an “Opi­ni­on on Suva’s data pro­tec­tion risk assess­ment on the Digi­tal Workspace ‘M365′ pro­ject” dated May 13, 2022. The docu­ment is here tog­e­ther with a sum­ma­ry and Suva’s respon­se to it (see below).

Initi­al situation

Accor­ding to the state­ment, Suva pro­vi­ded the FDPIC with docu­men­ta­ti­on on the pro­ject, which invol­ved out­sour­cing cer­tain Suva per­so­nal data to Micro­soft, with data loca­ted in Switz­er­land and based on Microsoft’s con­tract with the Swiss Infor­ma­tics Con­fe­rence SIK.

Appar­ent­ly, it was undis­pu­ted that the out­sour­cing poten­ti­al­ly lead to access by U.S. aut­ho­ri­ties could lead:

11 Suva assu­mes that the out­sour­cing of part of the pro­ce­s­sing of per­so­nal data to a cloud ope­ra­ted by the US com­pa­ny Micro­soft on Swiss ter­ri­to­ry rai­ses the que­sti­on of pos­si­ble access by US aut­ho­ri­ties to the out­sour­ced data.

12 Suva thus assu­mes muta­tis mut­an­dis that the deci­ded out­sour­cing could be accom­pa­nied by a data export to the USA.

In the docu­men­ta­ti­on sub­mit­ted to the FDPIC, Suva had clas­si­fi­ed the risk of access as very low:

As part of its risk-based approach, Suva notes that the pos­si­bi­li­ty of a judi­cial review, i.e., based on a request for mutu­al legal assi­stance or the U.S. Cloud Act-sup­port­ed, regu­la­to­ry access on the out­sour­ced per­so­nal data for the peri­od under con­side­ra­ti­on of 5 years “amount to 2.52 % and thus high­ly unli­kely”. At this value, Suva says, “with a pro­ba­bi­li­ty of 90 %, sta­tis­ti­cal­ly spea­king (assum­ing no chan­ge in pro­ba­bi­li­ty), suc­cessful lawful access occurs at least once every 903 years.” Even inclu­ding non-justi­cia­ble access by U.S. intel­li­gence agen­ci­es, Suva esti­ma­tes the over­all pro­ba­bi­li­ty it calls “risk” to be “high­ly unli­kely,” alt­hough it ack­now­led­ges that “some uncer­tain­ty remains” To justi­fy this, it cites, in par­ti­cu­lar, that the data out­sour­ced to the cloud is hard­ly inclu­ded any con­tent that would typi­cal­ly be the sub­ject of intel­li­gence search mis­si­ons from that coun­try.

Accor­ding to the state­ment of the FDPIC, Suva has reli­ed on the wide­ly used Risk assess­ment model by David Rosen­thal supported.

Opi­ni­on of the FDPIC

In its opi­ni­on, the FDPIC sta­tes, among other things, that Suva is not con­vin­ced of the admis­si­bi­li­ty of the plan­ned outsourcing.

… accor­ding to a risk-based approach asses­sed, which led them to con­clude that the­se No high risks for their insu­red per­sons, the pati­ents of their cli­nics as well as their employees and other per­sons con­cer­ned. On the basis of this assess­ment result, the­re would the­r­e­fo­re have been no obli­ga­ti­on to make a sub­mis­si­on to the FDPIC even if the new law had applied.

This “risk-based” approach is under fire, espe­ci­al­ly from Austria. Howe­ver, he can make for hims­elf the Gui­de­lines of the EDSA on Schrems II mea­su­res. in which the EDSA had cle­ar­ly sta­ted that a so-cal­led risk-based approach applied:

… you may deci­de to pro­ce­ed with the trans­fer wit­hout being requi­red to imple­ment sup­ple­men­ta­ry mea­su­res, if you con­sider that you have no rea­son to belie­ve that rele­vant and pro­ble­ma­tic legis­la­ti­on will be applied, in prac­ti­ce, to your trans­fer­red data and/or importer.

Also the cur­rent stan­dard con­trac­tu­al clau­ses con­tain simi­lar wor­ding in clau­se 14:

(a) The par­ties war­rant, have no rea­son to belie­ve that the law and prac­ti­ce appli­ca­ble to the pro­ce­s­sing of per­so­nal data by the data importer in the third coun­try of desti­na­ti­on, inclu­ding requi­re­ments to dis­c­lo­se per­so­nal data or mea­su­res allo­wing public aut­ho­ri­ties access to such data, pre­vent the data importer from ful­fil­ling its obli­ga­ti­ons under the­se clau­ses. …

For its part, the FDPIC published in June 2021 a “Gui­dance for the exami­na­ti­on of the admis­si­bi­li­ty of data trans­fers with a for­eign con­nec­tion (pur­su­ant to Art. 6 para. 2 lit. a FADP)”. published (with an important but never repor­ted adjust­ment; see p. 7 of Suva’s state­ment). In it, he did not cle­ar­ly com­mit to this risk-based approach nor to its oppo­si­te – the zero-risk approach.

The FDPIC now refers to this gui­dance from June 2021 in its opi­ni­on on Suva’s pro­ject. First of all, it assu­mes the fol­lo­wing legal bases in the USA:

In casu, the U.S. group Micro­soft and the asso­cia­ted cor­po­ra­te units throug­hout the world, and thus also in Switz­er­land, are sub­ject to the US Cloud Act is sub­or­di­na­te to the US Data Pro­tec­tion Act. This obli­ges all com­pa­ny units to gua­ran­tee access to per­so­nal data by US aut­ho­ri­ties even if the data is not stored in the USA. The Cloud Act pro­ce­du­re takes place wit­hout obser­ving the pro­ce­du­res and gua­ran­tees requi­red by the Swiss legal system. In addi­ti­on, the U.S. is moving its secu­ri­ty agen­ci­es and intel­li­gence agen­ci­es legal and fac­tu­al in a posi­ti­on to encou­ra­ge parent com­pa­nies based in U.S. ter­ri­to­ry to give their offices abroad Orders for the pro­cu­re­ment of per­so­nal data of for­eign citizens.

The rele­vant comm­ents of the FDPIC can be found below. First of all, the law No evi­dence of a risk-based approach (which is not the case, see below):

The requi­re­ments for data trans­fers to count­ries wit­hout ade­qua­te data pro­tec­tion are listed in the law. Howe­ver, the­re are no indi­ca­ti­ons of justi­fi­ca­ti­on or inter­pre­ti­ve argu­ments that could be based on a dif­fe­ren­tia­ti­on of the intel­li­gence inte­rests of indi­vi­du­al export­ing sta­tes and com­pa­ny- or insti­tu­ti­on-spe­ci­fic con­tents of the trans­fer­red data. Nor does the wor­ding of the law con­tain any indi­ca­ti­on of a risk-based approach to ensu­ring ade­qua­te pro­tec­tion. In the opi­ni­on of the FDPIC, it can­not be dedu­ced from this that risk-based argu­ments in the sen­se of a sup­ple­ment to the review pro­ce­du­re recom­men­ded by the FDPIC are neces­s­a­ri­ly exclu­ded by law. Howe­ver, sup­ple­men­ta­ry argu­ments must not lead to a wea­k­e­ning of the gua­ran­tees gua­ran­teed by fun­da­men­tal rights in the offi­ci­al context.

27 Against this back­ground, it seems at least que­stionable to the Com­mis­sio­ner whe­ther the risk-based approach is legal­ly per­mis­si­ble and may be invo­ked to justi­fy the data out­sour­cing under dis­cus­sion here.

Sub­se­quent­ly, the FDPIC argues that “powers” with insuf­fi­ci­ent pro­tec “basi­cal­ly accu­mu­la­te all kinds of infor­ma­ti­on”:

31 … It is well known that the secu­ri­ty aut­ho­ri­ties and intel­li­gence ser­vices of such sta­tes are in the habit of con­duc­ting blan­ket sear­ches of their tar­gets. They have legal powers and actu­al pos­si­bi­li­ties to make the parent com­pa­nies loca­ted on their ter­ri­to­ry search cloud data of all busi­ness cus­to­mers for indi­ca­ti­ons of tar­get per­sons, which enable the ser­vices to obtain the most com­pre­hen­si­ve, com­ple­te and inti­ma­te pic­tu­re of their tar­get per­sons. In other words, it must be expec­ted that the intel­li­gence ser­vices of powers that do not gua­ran­tee third-coun­try natio­nals ade­qua­te data pro­tec­tion will in prin­ci­ple accu­mu­la­te all kinds of infor­ma­ti­on, wit­hout this being appa­rent to the per­sons con­cer­ned or wit­hout them being gran­ted legal pro­tec­tion against this com­pa­ra­ble to Swiss law. Fur­ther­mo­re, it must be expec­ted that the intel­li­gence ser­vices of the­se sta­tes attach litt­le importance in par­ti­cu­lar to the prin­ci­ples of pur­po­se limi­ta­ti­on and pro­por­tio­na­li­ty and regu­lar­ly obtain pri­va­te and inti­ma­te infor­ma­ti­on such as health data from their tar­get per­sons. Against this back­ground, Suva’s assump­ti­on that the out­sour­ced data hard­ly inclu­des any con­tent that could typi­cal­ly be the sub­ject of intel­li­gence search orders would meet with reser­va­tions even if the admis­si­bi­li­ty of its risk-based approach were affirmed.

In addi­ti­on, such powers on the com­mu­ni­ty as a who­le and not just on indi­vi­du­al cate­go­ries of data:

32 In the Commissioner’s view, fede­ral bodies that are part of a nar­rower or broa­der cir­cle of the fede­ral public admi­ni­stra­ti­on should take into account, befo­re out­sour­cing per­so­nal data, that intel­li­gence data pro­cu­re­ment by for­eign sta­tes wit­hout ade­qua­te data pro­tec­tion legis­la­ti­on usual­ly tar­gets for­eign com­mu­ni­ties as a who­le. The aut­ho­ri­ties of such sta­tes may exert high pres­su­re on the parent groups loca­ted on their ter­ri­to­ry to achie­ve their pro­cu­re­ment goals. The lat­ter, in turn, may thus be prompt­ed to encou­ra­ge their sub­si­dia­ries and other offices in Euro­pe and Switz­er­land to exe­cu­te search requests in the per­so­nal data files of seve­ral or even all of their busi­ness customers.

Thus, it seems que­stionable whe­ther the orga­nizati­on-spe­ci­fic con­tent of the per­so­nal data that an indi­vi­du­al fede­ral office or an indi­vi­du­al fede­ral enter­pri­se such as Suva has pro­ce­s­sed in a Micro­soft cloud can con­sti­tu­te a sui­ta­ble cri­ter­ion in the con­text of its risk-based approach to assess the pro­ba­bi­li­ty of data access by for­eign aut­ho­ri­ties. Howe­ver, even if one were to affirm the sui­ta­bi­li­ty of the cri­ter­ion, the low assess­ment of this pro­ba­bi­li­ty based on it by Suva, which as a fede­ral body belongs to the exten­ded cir­cle of the com­mon­wealth of the Swiss Con­fe­de­ra­ti­on, would pro­ve to be insuf­fi­ci­ent­ly justi­fi­ed to the ext­ent it has undertaken.

The­r­e­fo­re and in gene­ral the Assess­ment of the pro­ba­bi­li­ty of access based on the men­tio­ned form que­stionable:

Over­all, the admis­si­bi­li­ty of the out­sour­cing and the asso­cia­ted pos­si­bi­li­ty of data dis­clo­sure to the USA as a coun­try wit­hout an ade­qua­te level of data pro­tec­tion would have to pro­ve pro­ble­ma­tic even if the legal admis­si­bi­li­ty of Suva’s risk-based approach were affirm­ed. On the one hand, it car­ri­ed out this assess­ment using organ-spe­ci­fic cri­te­ria, the appro­pria­ten­ess of which appears doubtful. In addi­ti­on, Suva redu­ced the pro­ba­bi­li­ty of access by US aut­ho­ri­ties in its esti­ma­te to a negli­gi­ble value, the deri­va­ti­on of which remains ina­de­qua­te­ly sub­stan­tia­ted in fac­tu­al terms in the view of the FDPIC.

37 Suva has not only shown a low pro­ba­bi­li­ty of access by a third-par­ty aut­ho­ri­ty, but has also quan­ti­fi­ed it on the basis of the cal­cu­la­ti­on method used with pro­ba­bi­li­ties extra­po­la­ted to hundredths of a per­cent or to hundreds of years. This cla­im to value accu­ra­cy rai­ses doubts, as it is in obvious con­trast to the broad dis­cretio­na­ry band­widths that the cal­cu­la­ti­on model grants tho­se respon­si­ble for pro­ce­s­sing the assump­ti­ons from which the quan­ti­fi­ed risk is derived.

If Suva sticks to the risk-based approach – which the FDPIC does not exclude – a Reas­sess­ment requi­red:

40 While main­tai­ning its risk-based approach, the FDPIC advi­ses Suva to prompt­ly reas­sess the risks asso­cia­ted with the out­sour­cing of part of its per­so­nal data and to adapt its pro­ject decis­i­ons to the know­ledge available to it on the rele­vant fac­tu­al and legal situa­ti­on. In the opi­ni­on of the FDPIC, this inclu­des taking into account the trend-set­ting decis­i­ons within the frame­work of the fede­ral government’s cloud stra­tegy as well as the afo­re­men­tio­ned nego­tia­ti­ons on a suc­ces­sor regu­la­ti­on to the ter­mi­na­ted Pri­va­cy Shield framework.

In sum­ma­ry, the FDPIC states,

The FDPIC sees no rea­son at pre­sent to inve­sti­ga­te the facts brought to its atten­ti­on ex offi­cio.. Howe­ver, depen­ding on the deve­lo­p­ment of the fac­tu­al situa­ti­on and the legal situa­ti­on, it reser­ves the right to take super­vi­so­ry action at a later date.

Ans­wer from Suva

Tog­e­ther with its opi­ni­on, the FDPIC also recei­ved Suva’s respon­se of June 9, 2022 published. Suva does not share the opi­ni­on of the FDPIC. Its main objec­tions can be sum­ma­ri­zed as follows:

  • Suva does not con­clude the con­tract for cloud use with the US com­pa­ny, Micro­soft Corp, but with the Irish sub­si­dia­ry, Micro­soft Ope­ra­ti­ons. If the­re is a dis­clo­sure from this to the USA, the stan­dard con­trac­tu­al clau­ses app­ly bet­ween the Micro­soft companies.
  • The CLOUD Act per­mits data access only within a frame­work that is essen­ti­al­ly the same as the one rati­fi­ed by Switz­er­land. Cyber­crime Con­ven­ti­on (CCC). Accor­din­gly, data access is only pos­si­ble if a com­pa­ny sub­ject to U.S. juris­dic­tion has effec­ti­ve access to the data in que­sti­on (“pos­ses­si­on, cus­t­ody or con­trol”). This is appar­ent­ly not the case with Microsoft’s US com­pa­ny with regard to the data in question:

    … we make sure that Micro­soft can and must take the posi­ti­on that their US parent (and only this one is sub­ject to the SCA) is has neither “day-to-day con­trol” nor “legal con­trol” over our data in plain text (and cer­tain­ly not “Pos­ses­si­on” or “Cus­t­ody”, becau­se the data is only stored in Switz­er­land and by ano­ther com­pa­ny). In this way, even under US law, acce­s­ses can be rejected.

  • The “Rosen­thal method” is more sophi­sti­ca­ted and holi­stic than the FDPIC’s gui­dance, is com­pa­ti­ble with it, and a bet­ter method is not known.
  • The risk-based approach is inher­ent in Swiss data pro­tec­tion law, and it also applies to for­eign disclosures.
  • If Switz­er­land were to aban­don the risk-based approach here, inter­na­tio­nal data trans­fers to sta­tes such as the USA would have to be gene­ral­ly prohibited.
  • Schrems II allo­ws for the risk-based approach.
  • The rele­vant prin­ci­ples of US law do not app­ly in casu.


The first que­sti­on is what the FDPIC says in its opi­ni­on. One may read the state­ments as follows:

  • Whe­ther the risk-based approach is admis­si­ble is not some­thing the FDPIC can or wants to judge con­clu­si­ve­ly, but in any case he shies away from con­fir­ming the risk-based approach.
  • It is doubtful whe­ther the risks were cor­rect­ly asses­sed with the form used – the pro­ba­bi­li­ty values are not con­vin­cing becau­se their deri­va­ti­on was not suf­fi­ci­ent­ly clear, and in any case the “cla­im to value accu­ra­cy” is doubtful.
  • Suva should car­ry out a reas­sess­ment, he said. By then, a new Pri­va­cy Shield may be fore­seeable, and one should also wait until the Results of the test ope­ra­ti­on of the Micro­soft Cloud by the fede­ral govern­ment present.

In other words, the FDPIC has expres­sed doubts in various respects, has but not spe­ci­fi­ed in terms of con­tent.

The­re are a few points to note about this:

  • Schrems II is not bin­ding for Switz­er­land. Nor are gui­de­lines issued by the EDSA. Even within the EEA, opi­ni­ons of aut­ho­ri­ties are not bin­ding. Switz­er­land has its own data pro­tec­tion law, even if it right­ly does not clo­se its eyes to the GDPR. Adop­ting EU law can be right and sen­si­ble, but only within the frame­work of Swiss law.
  • The wor­ding of Art. 6 FADP shows pre­cis­e­ly that data sub­jects in the case of trans­fers abroad are from serious Per­so­na­li­ty vio­la­ti­ons pro­tec­ted are to be made. The­re is no clea­rer way to for­mu­la­te a risk-based approach. Not every trans­fer to a coun­try with wea­k­er legal pro­tec­tion leads to a serious vio­la­ti­on of pri­va­cy. The DPA does not make data sub­jects a pawn in poli­ti­cal disputes.
  • That cer­tain fun­da­men­tals of U.S. law are defi­ci­ent from a Swiss per­spec­ti­ve is true. As long as they do not app­ly in a spe­ci­fic caseHowe­ver, the­se bases do not have any con­cre­te mea­ning and can­not lead to a vio­la­ti­on of per­so­na­li­ty, cer­tain­ly not a serious one.
  • The FDPIC has omit­ted this exami­na­ti­on – whe­ther the defi­ci­ent U.S. law applies – arguing that a risk-based approach is lack­ing. Thus, two Que­sti­ons mixed: Under what con­di­ti­ons and to what are the­se laws appli­ca­ble at all, and – if they are – with what pro­ba­bi­li­ty does an aut­ho­ri­ty make use of them. Only the second que­sti­on deser­ves the name “risk-based approach”. The first que­sti­on, howe­ver, should not be ignored.
  • The Form by David Rosen­thal uses pro­ba­bi­li­ty values not becau­se the­re is a demand for accu­ra­cy, but for self-reflec­tion in an other­wi­se emo­tio­nal risk assess­ment (this is shown by the state­ment of the FDPIC) and as an instru­ment of risk com­mu­ni­ca­ti­on. Of cour­se, “gar­ba­ge in, gar­ba­ge out” applies, but in what assess­ment does it not?
  • Other agen­ci­es have accept­ed the risk-based approach, not just the Zurich Govern­ment Coun­cil, but also a known pro­se­cu­tor for pro­fes­sio­nal secrets (a data law issue, but not a data pro­tec­tion law issue, but pro­fes­sio­nal secrets pro­tect the will to sec­re­cy com­pre­hen­si­ve­ly – if no secret stands in the way of a data dis­clo­sure, then neither does data protection).

All in all, the impres­si­on is that the FDPIC is pro­tects its own posi­ti­on on all sides. In view of the still uncon­firm­ed ade­qua­cy of the Swiss level of pro­tec­tion, a flank is pro­ba­b­ly to be avo­ided here – this is not incom­pre­hen­si­ble, becau­se if Swiss law has a dif­fe­rent stan­dard pre­cis­e­ly on the issue of for­eign trans­fers, Switz­er­land risks beco­ming a hub of unre­gu­la­ted data flows from the EU’s per­spec­ti­ve. At the same time, the FDPIC is awa­re that a con­si­stent zero-risk approach to the Col­lap­se of the Swiss eco­no­my would lead to. Not only would the­re be no more team calls – the­re would be no more glo­bal cor­po­ra­ti­ons and no more inter­na­tio­nal can­cer rese­arch. The­re is no rea­li­stic alter­na­ti­ve for inter­na­tio­nal data trans­fers. A zero-risk approach takes the enti­re eco­no­my hosta­ge to poli­ti­cal wrang­ling, arguing that under cer­tain con­di­ti­ons – which you don’t exami­ne! – can access cer­tain cate­go­ries of data too extensively.

Over­all, while the­re remains gra­ti­tu­de that the­re is a good exch­an­ge bet­ween the super­vi­so­ry aut­ho­ri­ty and the law-app­ly­ing aut­ho­ri­ties and com­pa­nies in Switz­er­land, the­re is also a cer­tain per­ple­xi­ty and the impres­si­on of a per­haps some­what despon­dent atti­tu­de towards the EU. Accor­ding to Art. 28 and Art. 31 FADP, the FDPIC has the task of assi­sting pri­va­te indi­vi­du­als and bodies of the Con­fe­de­ra­ti­on and the can­tons in mat­ters of data pro­tec­tion, as well as accor­ding to Art. 58 revDSG. This requi­res con­tri­bu­ting to legal cer­tain­ty in an area of law that is deve­lo­ping so rapid­ly, is so com­plex, and is so far-reaching.




Rela­ted articles