- Expert opinion recommends not storing sensitive personal data in Microsoft clouds due to loss of control and access by US authorities.
- Encryption (effective against provider access) or local/alternative hosting in non-US data centers proposed as mitigating measures.
- Criticism: The authors’ interpretation of the US SCA is disputed; risk assessment (probability and consequences of access) remains central.
Dr. Philip Glass and Prof. Dr. Markus Schefer have been commissioned by egovpartner (a cooperation organization of municipalities, cities and the Canton of Zurich) has drawn up an expert opinion on the Use of Microsoft 365 by public bodies in Switzerland in compliance with fundamental rights (using the example of the Canton of Zurich). The expert opinion was in the Jusletter IT of December 20, 2023 and is available as Editions Weblaw, Bern 2023. It poses the question,
how the municipalities in the Canton of Zurich can use cloud services (in particular M365) in a constitutional and data protection-compliant manner.
The report was made available to the municipalities of the Canton of Zurich prior to publication and has been allowed to be passed on to third parties since the beginning of October 2023. The authors received feedback based on this; they address this in an addendum to the report.
The expert opinion can also can be downloaded from David Rosenthal’s website. David Rosenthal already wrote about this on November 10, 2023 Comments written on the expert opinion; see below.
Results of the expert opinion
The experts essentially come to the following conclusions:
- Art. 13 para. 2 BV protects against the misuse of data as a minimum guarantee of lawful data processing and provides a legally protected interest in correct data processing in accordance with the rule of law. In addition, Art. 13 para. 2 BV includes the “Protection of informational self-determination”, which safeguards the exercise of fundamental rights.
- Different “Engagement torques” may have to be justified individually, and they must also be reasonable when viewed as a whole. Informational self-determination is particularly impaired if the data processing can lead to a self-restriction in the exercise of fundamental rights (chilling effect).
- The Intensity The extent to which there is an element of interference results from the interplay between the loss of control and the effectiveness of legal remedies against it, and from the personal nature of the data processing. In individual cases, it must be examined to what extent a loss of control can be counteracted by safeguarding measures and the proximity to personality by anonymization.
- The storage of personal data in the cloud is a Storage “on reserve” for the attention of U.S. authoritieswho have access via the CLOUD Act or the Stored Communications Act (SCA). Such access would constitute a violation of the principles of Swiss law, non-transparent processing and a violation of purpose limitation. Due to the number of data subjects affected and the loss of control, a serious encroachment can generally be assumed.
- The “Rosenthal method” appears to be “not yet sufficiently mature” for use in the public law sector, but it can provide information on the order of magnitude of the probability of a breach. Moreover, no alternative with a similarly structured argumentation is apparent; the data protection authorities also provide “little guidance on how [the risks associated with cloud use] could be assessed in a legally sound manner”.
- That a Low risk of access seems “plausible under the given circumstances”, but this may change with the increasing use of M365.
- Interventions gain in intensity when the Dependence on the Office products taken into account. The public administration has no alternatives for the further development of these products.
- The legal bases in Zurich allow the processing of special personal data, but they are not sufficient for the specific intervention moments of outsourcing to the cloud of a US company.
- Like cantonal authorities, the experts recommend storing at least sensitive personal data in the cloud. encryptwhich could enable constitutionally compliant use of M365 if the encryption is also effective against access by the provider.
It follows from this:
In view of the interventions described and their intensity, as well as the inadequate legal basis for the assumption of the corresponding risks by public bodies in the Canton of Zurich, the following must be taken into account at the present time a waiver of certain forms of processing of special personal data (= serious interference with informational self-determination) by means of M365 is recommended. This applies to all forms of processing that involve storing data in the Microsoft cloud. For the foreseeable future, a milder option here is to operate such applications in our own data centers and only update them via the cloud service. Alternatively, traditional outsourcing to data centers of a third party that is not subject to U.S. law can be considered. This assessment must be constantly reviewed in the light of future legal and technical developments.
Critical comments
Arguments vs. terminology
The report gives rise to criticism on the following points. First of all, the substantive arguments must be distinguished from the terminology, which is not easy. However, the terminological nature of the comments on Right to informational self-determination. This right is a genuine right hardly justified:
- The authors start from the census ruling of the German Federal Constitutional Court, which recognized such a right. In Switzerland, the Federal Court has repeatedly used the concept of the right to informational self-determination. The authors trace this development, as well as the legislator’s references to this concept.
- However, they concede that the content of this right can only be determined by interpreting Article 13 of the Federal Constitution and the relevant statutory law. It follows that informational self-determination is essentially only a concept that has no normative force; it is therefore merely a conceptual bracket for constitutional and statutory law to be interpreted according to the usual rules.
- The question is therefore whether the term “informational self-determination” is really appropriate – a dubious but probably semantic question; however, it is of little use as a source of interpretation. The authors hardly derive any concrete conclusions from this term.
Also of a terminological nature are the references to the various “Intervening factors” of data processing. The authors argue that various “intrusive elements” of data processing (e.g. type of data, purpose of processing, type and scope of processing, the further circumstances of processing, etc., i.e. the “means of processing”) must each be legitimized in their own right under Art. 36 Cst. and that the processing must also be reasonable overall. This is correct, but it says little: whether the requirements of Art. 36 FC are applied to individual aspects of interference or to processing as a whole is irrelevant; either way, the severity of the interference is decisive, and this can of course result from individual aspects such as data storage or their interaction or both.
Content point: Loss of control
In the actual examination of the intervention moments identified in connection with cloud outsourcing and thus the core of the question, the authors come to the conclusion that outsourcing is a Legal and de facto loss of control is associated with this. It is this loss of control that leads them to the conclusion that the existing legal basis is not sufficient.
You begin here by stating that the existing expert opinions on the subject argue with the low probability of access by the authorities, and rightly so, but that they fail to take into account the fact that there are already storage in the cloud is an intervention element in its own right which should be examined separately.
This is certainly conceptually correct, but not new – if the storage can constitute a danger, it must of course be examined according to the criteria of Art. 36 BV, whether it is described as an “element of interference” or not. Glass and Schefer assume a risk associated with mere storage in a US cloud, increased risk essentially because the US CLOUD Act and the Stored Communications Act adapted by it allow access in circumvention of legal assistance, in violation of the principles of transparency and purpose limitation and in violation of the Cybercrime Convention.
These Interpretation of the CLOUD Act does not apply:
- The thesis that storage in a cloud of a US provider is a Data retention for the attention of the US authorities is based on the consideration that access under the SCA violates Art. 32 of the Cybercrime Convention (CCC). Art. 32 CCC stipulates that authorities of a contracting state may access data in the territory of another contracting party essentially only with the consent of the person who may dispose of this data (e.g. a local ISP; see also BGE 141 IV 108). However, Art. 18 CCC stipulates that data abroad may be accessed by anyone who has possession or control over this data. This may be Microsoft USA, but also depends on the specific design of the services. This corresponds more or less to the SCA (§ 2713), which therefore does not violate basic rules recognized in Switzerland.
- It is not the case that, in the event of a surrender order, a provider must Never inform customers may. This depends on the legal basis of the surrender order – in the case of a subpoena or a court order, the information is at least not generally excluded (SCA § 2703(b)(1)).
- It is also incorrect that a US provider can only defend itself against access by US authorities based on the SCA if a Executive Agreement was concluded. If it is missing, he cannot claim that a surrender would violate the law of another state, but the objection remains that a “comity analysis” prevents the surrender (§ 2703(h)(2)(B)(ii) and (3)).
- The authorities’ access options under the SCA are by no means “unlimited“as the authors write. Rather, they presuppose that a warrant, a subpoena or a court order has been issued. This says nothing about the prerequisites for these instruments, but they are not unconditional and available “indefinitely”.
The authors address some of these points in the addendum. However, as they stand by the conclusions of the report, the criticism remains relevant.
What remains
The argumentation of Glass and Schefer is fundamentally consistent in that they emphasize that more serious encroachments on fundamental rights require an explicit legal basis, i.e. that an indirect legal basis through the assignment of tasks is no longer sufficient. There is nothing to be said against this. On the merits, however, they argue strongly – not exclusively – with an interpretation of the Stored Communications Act that cannot be shared. Accordingly, their conclusions must also be rejected.
However, the reference to a certain loss of control and supplier dependency is correct. Whether these aspects in themselves call for a special legal basis is left open by the expert opinion because it does not assume that only these aspects are decisive.
It therefore remains the case that the risks of access by the authorities must be examined and that, above all, the Probability of access – and, of course, the weight of its consequences – are decisive. Here, the authors do not consider the Rosenthal method to be unsuitable, even if they recognize certain shortcomings (which, however, cannot be described as shortcomings; rather, they are inherent in the method, which does not claim to answer all questions). As a result, it can be stated that the expert opinion should have no influence on the assessment of outsourcing by public bodies.
Notes from David Rosenthal
As noted, David Rosenthal has also written detailed comments on the expert opinion, which available here are. Insofar as they are consistent with the content of the above comments, they are not repeated here. However, it also notes the following points:
- Swiss law recognizes surrender orders that are comparable to the SCA. It is therefore also wrong to say that the SCA is difficult to reconcile with the principles of Swiss law.
- The “end-to-end” encryption for sensitive data recommended in the report is neither suitable nor necessary, at least for M365; access by the authorities can also be counteracted with less restrictive measures.
- It is not relevant whether there is an adequate level of data protection in the USA (which should be the case in the foreseeable future with the Privacy Framework, even from a Swiss perspective). The customer discloses data to Microsoft in Ireland. Access from the USA is at most exceptional, and then not necessarily to personal data.
- It cannot be said that local storage of personal data is more secure than storage in the cloud. Rather, it must be taken into account that with M365, the “minimal loss of control” in the area of access by authorities is offset by a “significantly higher ‘gain in control’ in terms of protection against hackers and other dangers”.
- The fundamental suitability of the Rosenthal method is confirmed in the expert opinion. The probability of access by foreign authorities remains decisive. The method can plausibly demonstrate this.