data-right.ch

FDPIC: Doubts about the risk-based approach

On June 13, 2022, the FDPIC published an “Opinion on Suva’s data protection risk assessment on the Digital Workspace ‘M365′ project” dated May 13, 2022. The document is here together with a summary and Suva’s response to it (see below).

Initial situation

According to the statement, Suva provided the FDPIC with documentation on the project, which involved outsourcing certain Suva personal data to Microsoft, with data located in Switzerland and based on Microsoft’s contract with the Swiss Informatics Conference SIK.

Apparently, it was undisputed that the outsourcing potentially lead to access by U.S. authorities could lead:

11 Suva assumes that the outsourcing of part of the processing of personal data to a cloud operated by the US company Microsoft on Swiss territory raises the question of possible access by US authorities to the outsourced data.

12 Suva thus assumes mutatis mutandis that the decided outsourcing could be accompanied by a data export to the USA.

In the documentation submitted to the FDPIC, Suva had classified the risk of access as very low:

As part of its risk-based approach, Suva notes that the possibility of a judicial review, i.e., based on a request for mutual legal assistance or the U.S. Cloud Act-supported, regulatory access on the outsourced personal data for the period under consideration of 5 years “amount to 2.52 % and thus highly unlikely”. At this value, Suva says, “with a probability of 90 %, statistically speaking (assuming no change in probability), successful lawful access occurs at least once every 903 years.” Even including non-justiciable access by U.S. intelligence agencies, Suva estimates the overall probability it calls “risk” to be “highly unlikely,” although it acknowledges that “some uncertainty remains” To justify this, it cites, in particular, that the data outsourced to the cloud is hardly included any content that would typically be the subject of intelligence search missions from that country.

According to the statement of the FDPIC, Suva has relied on the widely used Risk assessment model by David Rosenthal supported.

Opinion of the FDPIC

In its opinion, the FDPIC states, among other things, that Suva is not convinced of the admissibility of the planned outsourcing.

… according to a risk-based approach assessed, which led them to conclude that these No high risks for their insured persons, the patients of their clinics as well as their employees and other persons concerned. On the basis of this assessment result, there would therefore have been no obligation to make a submission to the FDPIC even if the new law had applied.

This “risk-based” approach is under fire, especially from Austria. However, he can make for himself the Guidelines of the EDSA on Schrems II measures. in which the EDSA had clearly stated that a so-called risk-based approach applied:

… you may decide to proceed with the transfer without being required to implement supplementary measures, if you consider that you have no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer.

Also the current standard contractual clauses contain similar wording in clause 14:

(a) The parties warrant, have no reason to believe that the law and practice applicable to the processing of personal data by the data importer in the third country of destination, including requirements to disclose personal data or measures allowing public authorities access to such data, prevent the data importer from fulfilling its obligations under these clauses. …

For its part, the FDPIC published in June 2021 a “Guidance for the examination of the admissibility of data transfers with a foreign connection (pursuant to Art. 6 para. 2 lit. a FADP)”. published (with an important but never reported adjustment; see p. 7 of Suva’s statement). In it, he did not clearly commit to this risk-based approach nor to its opposite – the zero-risk approach.

The FDPIC now refers to this guidance from June 2021 in its opinion on Suva’s project. First of all, it assumes the following legal bases in the USA:

In casu, the U.S. group Microsoft and the associated corporate units throughout the world, and thus also in Switzerland, are subject to the US Cloud Act is subordinate to the US Data Protection Act. This obliges all company units to guarantee access to personal data by US authorities even if the data is not stored in the USA. The Cloud Act procedure takes place without observing the procedures and guarantees required by the Swiss legal system. In addition, the U.S. is moving its security agencies and intelligence agencies legal and factual in a position to encourage parent companies based in U.S. territory to give their offices abroad Orders for the procurement of personal data of foreign citizens.

The relevant comments of the FDPIC can be found below. First of all, the law No evidence of a risk-based approach (which is not the case, see below):

The requirements for data transfers to countries without adequate data protection are listed in the law. However, there are no indications of justification or interpretive arguments that could be based on a differentiation of the intelligence interests of individual exporting states and company- or institution-specific contents of the transferred data. Nor does the wording of the law contain any indication of a risk-based approach to ensuring adequate protection. In the opinion of the FDPIC, it cannot be deduced from this that risk-based arguments in the sense of a supplement to the review procedure recommended by the FDPIC are necessarily excluded by law. However, supplementary arguments must not lead to a weakening of the guarantees guaranteed by fundamental rights in the official context.

27 Against this background, it seems at least questionable to the Commissioner whether the risk-based approach is legally permissible and may be invoked to justify the data outsourcing under discussion here.

Subsequently, the FDPIC argues that “powers” with insufficient protec “basically accumulate all kinds of information”:

31 … It is well known that the security authorities and intelligence services of such states are in the habit of conducting blanket searches of their targets. They have legal powers and actual possibilities to make the parent companies located on their territory search cloud data of all business customers for indications of target persons, which enable the services to obtain the most comprehensive, complete and intimate picture of their target persons. In other words, it must be expected that the intelligence services of powers that do not guarantee third-country nationals adequate data protection will in principle accumulate all kinds of information, without this being apparent to the persons concerned or without them being granted legal protection against this comparable to Swiss law. Furthermore, it must be expected that the intelligence services of these states attach little importance in particular to the principles of purpose limitation and proportionality and regularly obtain private and intimate information such as health data from their target persons. Against this background, Suva’s assumption that the outsourced data hardly includes any content that could typically be the subject of intelligence search orders would meet with reservations even if the admissibility of its risk-based approach were affirmed.

In addition, such powers on the community as a whole and not just on individual categories of data:

32 In the Commissioner’s view, federal bodies that are part of a narrower or broader circle of the federal public administration should take into account, before outsourcing personal data, that intelligence data procurement by foreign states without adequate data protection legislation usually targets foreign communities as a whole. The authorities of such states may exert high pressure on the parent groups located on their territory to achieve their procurement goals. The latter, in turn, may thus be prompted to encourage their subsidiaries and other offices in Europe and Switzerland to execute search requests in the personal data files of several or even all of their business customers.

Thus, it seems questionable whether the organization-specific content of the personal data that an individual federal office or an individual federal enterprise such as Suva has processed in a Microsoft cloud can constitute a suitable criterion in the context of its risk-based approach to assess the probability of data access by foreign authorities. However, even if one were to affirm the suitability of the criterion, the low assessment of this probability based on it by Suva, which as a federal body belongs to the extended circle of the commonwealth of the Swiss Confederation, would prove to be insufficiently justified to the extent it has undertaken.

Therefore and in general the Assessment of the probability of access based on the mentioned form questionable:

Overall, the admissibility of the outsourcing and the associated possibility of data disclosure to the USA as a country without an adequate level of data protection would have to prove problematic even if the legal admissibility of Suva’s risk-based approach were affirmed. On the one hand, it carried out this assessment using organ-specific criteria, the appropriateness of which appears doubtful. In addition, Suva reduced the probability of access by US authorities in its estimate to a negligible value, the derivation of which remains inadequately substantiated in factual terms in the view of the FDPIC.

37 Suva has not only shown a low probability of access by a third-party authority, but has also quantified it on the basis of the calculation method used with probabilities extrapolated to hundredths of a percent or to hundreds of years. This claim to value accuracy raises doubts, as it is in obvious contrast to the broad discretionary bandwidths that the calculation model grants those responsible for processing the assumptions from which the quantified risk is derived.

If Suva sticks to the risk-based approach – which the FDPIC does not exclude – a Reassessment required:

40 While maintaining its risk-based approach, the FDPIC advises Suva to promptly reassess the risks associated with the outsourcing of part of its personal data and to adapt its project decisions to the knowledge available to it on the relevant factual and legal situation. In the opinion of the FDPIC, this includes taking into account the trend-setting decisions within the framework of the federal government’s cloud strategy as well as the aforementioned negotiations on a successor regulation to the terminated Privacy Shield framework.

In summary, the FDPIC states,

The FDPIC sees no reason at present to investigate the facts brought to its attention ex officio.. However, depending on the development of the factual situation and the legal situation, it reserves the right to take supervisory action at a later date.

Answer from Suva

Together with its opinion, the FDPIC also received Suva’s response of June 9, 2022 published. Suva does not share the opinion of the FDPIC. Its main objections can be summarized as follows:

Suva does not conclude the contract for cloud use with the US company, Microsoft Corp, but with the Irish subsidiary, Microsoft Operations. If there is a disclosure from this to the USA, the standard contractual clauses apply between the Microsoft companies.
The CLOUD Act permits data access only within a framework that is essentially the same as the one ratified by Switzerland. Cybercrime Convention (CCC). Accordingly, data access is only possible if a company subject to U.S. jurisdiction has effective access to the data in question (“possession, custody or control”). This is apparently not the case with Microsoft’s US company with regard to the data in question:

… we make sure that Microsoft can and must take the position that their US parent (and only this one is subject to the SCA) is has neither “day-to-day control” nor “legal control” over our data in plain text (and certainly not “Possession” or “Custody”, because the data is only stored in Switzerland and by another company). In this way, even under US law, accesses can be rejected.
The “Rosenthal method” is more sophisticated and holistic than the FDPIC’s guidance, is compatible with it, and a better method is not known.
The risk-based approach is inherent in Swiss data protection law, and it also applies to foreign disclosures.
If Switzerland were to abandon the risk-based approach here, international data transfers to states such as the USA would have to be generally prohibited.
Schrems II allows for the risk-based approach.
The relevant principles of US law do not apply in casu.

Notes

The first question is what the FDPIC says in its opinion. One may read the statements as follows:

Whether the risk-based approach is admissible is not something the FDPIC can or wants to judge conclusively, but in any case he shies away from confirming the risk-based approach.
It is doubtful whether the risks were correctly assessed with the form used – the probability values are not convincing because their derivation was not sufficiently clear, and in any case the “claim to value accuracy” is doubtful.
Suva should carry out a reassessment, he said. By then, a new Privacy Shield may be foreseeable, and one should also wait until the Results of the test operation of the Microsoft Cloud by the federal government present.

In other words, the FDPIC has expressed doubts in various respects, has but not specified in terms of content.

There are a few points to note about this:

Schrems II is not binding for Switzerland. Nor are guidelines issued by the EDSA. Even within the EEA, opinions of authorities are not binding. Switzerland has its own data protection law, even if it rightly does not close its eyes to the GDPR. Adopting EU law can be right and sensible, but only within the framework of Swiss law.
The wording of Art. 6 FADP shows precisely that data subjects in the case of transfers abroad are from serious Personality violations protected are to be made. There is no clearer way to formulate a risk-based approach. Not every transfer to a country with weaker legal protection leads to a serious violation of privacy. The DPA does not make data subjects a pawn in political disputes.
That certain fundamentals of U.S. law are deficient from a Swiss perspective is true. As long as they do not apply in a specific caseHowever, these bases do not have any concrete meaning and cannot lead to a violation of personality, certainly not a serious one.
The FDPIC has omitted this examination – whether the deficient U.S. law applies – arguing that a risk-based approach is lacking. Thus, two Questions mixed: Under what conditions and to what are these laws applicable at all, and – if they are – with what probability does an authority make use of them. Only the second question deserves the name “risk-based approach”. The first question, however, should not be ignored.
The Form by David Rosenthal uses probability values not because there is a demand for accuracy, but for self-reflection in an otherwise emotional risk assessment (this is shown by the statement of the FDPIC) and as an instrument of risk communication. Of course, “garbage in, garbage out” applies, but in what assessment does it not?
Other agencies have accepted the risk-based approach, not just the Zurich Government Council, but also a known prosecutor for professional secrets (a data law issue, but not a data protection law issue, but professional secrets protect the will to secrecy comprehensively – if no secret stands in the way of a data disclosure, then neither does data protection).

All in all, the impression is that the FDPIC is protects its own position on all sides. In view of the still unconfirmed adequacy of the Swiss level of protection, a flank is probably to be avoided here – this is not incomprehensible, because if Swiss law has a different standard precisely on the issue of foreign transfers, Switzerland risks becoming a hub of unregulated data flows from the EU’s perspective. At the same time, the FDPIC is aware that a consistent zero-risk approach to the Collapse of the Swiss economy would lead to. Not only would there be no more team calls – there would be no more global corporations and no more international cancer research. There is no realistic alternative for international data transfers. A zero-risk approach takes the entire economy hostage to political wrangling, arguing that under certain conditions – which you don’t examine! – can access certain categories of data too extensively.

Overall, while there remains gratitude that there is a good exchange between the supervisory authority and the law-applying authorities and companies in Switzerland, there is also a certain perplexity and the impression of a perhaps somewhat despondent attitude towards the EU. According to Art. 28 and Art. 31 FADP, the FDPIC has the task of assisting private individuals and bodies of the Confederation and the cantons in matters of data protection, as well as according to Art. 58 revDSG. This requires contributing to legal certainty in an area of law that is developing so rapidly, is so complex, and is so far-reaching.