Can­ton BE: Inno­va­ti­ve pro­po­sal for faci­li­ta­ting the use of cloud services

Like other can­to­nal data pro­tec­tion laws, the Ber­ne­se Data Pro­tec­tion Act (KDSG) is under revi­si­on, the con­sul­ta­ti­on docu­ments are here to find.

In view of the ongo­ing acti­ve dis­cus­sion about out­sour­cing by public bodies, Art. 15 on the dis­clo­sure of per­so­nal data abroad (pro­po­sal of June 21, 2023) is par­ti­cu­lar­ly note­wor­t­hy. The fol­lo­wing pro­vi­si­on is proposed:

Art. 15 Dis­clo­sure abroad

1 The respon­si­ble aut­ho­ri­ty may dis­c­lo­se per­so­nal data abroad if the fun­da­men­tal right to data pro­tec­tion of the per­son con­cer­ned is ade­qua­te­ly protected.

2 Ade­qua­te pro­tec­tion can be ensu­red by

a trea­ty under inter­na­tio­nal law,

b a decla­ra­to­ry decis­i­on of the Fede­ral Coun­cil in accordance with fede­ral data pro­tec­tion legis­la­ti­on or

c other ade­qua­te guarantees.

3 By way of dero­ga­ti­on from para­graphs 1 and 2, the respon­si­ble aut­ho­ri­ty may dis­c­lo­se per­so­nal data abroad if

a the dis­clo­sure is neces­sa­ry in indi­vi­du­al cases for the pro­tec­tion of an over­ri­ding public interest,

b the data sub­ject has express­ly con­sen­ted to the dis­clo­sure in the indi­vi­du­al case or has made their per­so­nal data gene­ral­ly acce­s­si­ble and has not express­ly pro­hi­bi­ted processing,

c the dis­clo­sure is neces­sa­ry to pro­tect the life or phy­si­cal or men­tal inte­gri­ty of the data sub­ject or a third par­ty and it is not pos­si­ble to obtain the data subject’s con­sent within a rea­sonable peri­od of time, or

d (sup­ple­ment for vari­ant 2) the dis­clo­sure is made for the pur­po­se of pro­ce­s­sing the order and the requi­re­ments are met.

The Govern­ment Coun­cil is the­r­e­fo­re pro­po­sing two vari­ants to the Grand Coun­cil – one vari­ant that lar­ge­ly cor­re­sponds to what is known, and a second vari­ant that allo­ws dis­clo­sure to a coun­try wit­hout an ade­qua­te level of pro­tec­tion even then, if it con­cerns order pro­ce­s­sing, which is very often the case, espe­ci­al­ly with the cloud ser­vices we are tal­king about here. The pre­re­qui­si­te is that the requi­re­ments for order pro­ce­s­sing are met. This is usual­ly the case with the major cloud pro­vi­ders wit­hout any problems.

The justi­fi­ca­ti­on for the pro­po­sed regu­la­ti­on, the so-cal­led “pro­po­sal” (dated June 21, 2023), says the following:

Opti­on 1 com­pri­ses Artic­le 15(1) to (3)(a) to (c). It only pro­vi­des for rest­ric­ti­ve excep­ti­ons and gives grea­ter weight to the fun­da­men­tal right to data pro­tec­tion of the data sub­jects than to the public inte­rests of the respon­si­ble aut­ho­ri­ties ari­sing from the use of US cloud solutions.

In addi­ti­on to Artic­le 15(1) to (3)(a) to (c), vari­ant 2 pro­vi­des for a pro­vi­des for a fur­ther excep­ti­on in let­ter d, which is inten­ded to faci­li­ta­te the use of US cloud solu­ti­ons. It gives grea­ter weight to the public inte­rests of the respon­si­ble aut­ho­ri­ties in the use of US cloud solu­ti­ons than the inter­ven­ti­ons con­side­red unli­kely in this vari­ant the fun­da­men­tal rights of the per­sons concerned.


Addi­ti­on to vari­ant 2: let­ter d

Vir­tual­ly every public aut­ho­ri­ty has a Twit­ter, You­Tube or Insta­gram account and soft­ware solu­ti­ons such as Zoom or Teams have been used regu­lar­ly in the edu­ca­ti­on sec­tor sin­ce the coro­na­vi­rus pan­de­mic. The case law of the Euro­pean Court of Justi­ce on the level of data pro­tec­tion in the USA and the Fede­ral Council’s sub­se­quent assess­ment of this make it more dif­fi­cult for the respon­si­ble aut­ho­ri­ties to use such ser­vices from US pro­vi­ders, as the decisi­ve fac­tor is whe­ther the per­so­nal data is pro­ce­s­sed in Switz­er­land, the Euro­pean Uni­on or the USA. The Govern­ment Coun­cil of the Can­ton of Bern is the­r­e­fo­re pro­po­sing a fur­ther excep­ti­on in the con­sul­ta­ti­on pro­ce­du­re, which does not requi­re an ade­qua­te level of data pro­tec­tion for the dis­clo­sure abroad. This is inten­ded to reflect rea­li­ty and faci­li­ta­te the use of US cloud solu­ti­ons.

This devia­ting regu­la­ti­on vis-à-vis the Con­fe­de­ra­ti­on and, as far as is known, also vis-à-vis the other can­tons – inclu­des a Loca­tio­nal advan­ta­ge for the can­ton of Bern. The use of US cloud solu­ti­ons should the­r­e­fo­re be per­mit­ted if the requi­re­ments for pro­ce­s­sing on behalf are met. This would mean that the respon­si­ble aut­ho­ri­ties would only have to gua­ran­tee data secu­ri­ty (Art. 12 para. 3 VE-KDSG). This is based on the risk of a vio­la­ti­on of fun­da­men­tal rights (Art. 10 para. 1 VE-KDSG). In this vari­ant assu­med that the data pro­tec­tion risks that may ari­se for data sub­jects from the use of US cloud solu­ti­ons are of a theo­re­ti­cal natu­re and are hard­ly rele­vant in prac­ti­ce. On the other hand, the­re are major prac­ti­cal public inte­rests in using the world’s best cloud solu­ti­ons: They enable the aut­ho­ri­ties to achie­ve their digi­tizati­on goals much more quick­ly, cost-effec­tively and in a more cus­to­mer-fri­end­ly man­ner than with con­ven­tio­nal, non-cloud-based soft­ware. The poten­ti­al­ly easier access to data by for­eign cri­mi­nal aut­ho­ri­ties or intel­li­gence ser­vices or the limi­t­ed oppor­tu­ni­ties to take legal action against data pro­tec­tion vio­la­ti­ons abroad are weigh­ted more heavily.

The use of US cloud soft­ware is the norm in both pri­va­te and busi­ness envi­ron­ments. Almost ever­yo­ne has an Apple, Micro­soft or Goog­le account and devices, and most busi­nesses could no lon­ger func­tion wit­hout US cloud soft­ware. In this cir­cum­stance lies a Risk decis­i­on for socie­ty as a who­lewhich is taken into account by the legis­la­tor in this vari­ant: If almost all peo­p­le and com­pa­nies con­sider the risks under dis­cus­sion to be pro­por­tio­na­te and accep­ta­ble for them­sel­ves, then the can­ton can and should do the same for its popu­la­ti­on. In con­trast to pri­va­te indi­vi­du­als, public aut­ho­ri­ties are also bound by con­sti­tu­tio­nal prin­ci­ples such as the prin­ci­ple of lega­li­ty, which is why the situa­tions are only com­pa­ra­ble to a limi­t­ed ext­ent. Nevert­hel­ess, the can­ton should also be able to take the pri­va­te risk assess­ment into account, which is why this vari­ant is being sub­mit­ted for consultation.

On the one hand, this pro­po­sal illu­stra­tes the prac­ti­cal needs of can­to­nal aut­ho­ri­ties in par­ti­cu­lar, but not only, which, like other orga­nizati­ons, are under pres­su­re to push ahead with digi­ta­lizati­on. On the other hand, it is, as far as can be seen, the first attempt to address the exi­sting con­cerns, requi­re­ments and, abo­ve all, uncer­tain­ties by legis­la­ti­ve means.

The aut­hors of the pro­po­sal, the Direc­to­ra­te of Home Affairs and Justi­ce, are obvious­ly awa­re that this pro­po­sal is bold, as it has only been pre­sen­ted as a vari­ant. The wor­ding of the pro­po­sal also seems rather defen­si­ve, and the refe­rence to the loca­tio­nal advan­ta­ge is not very con­vin­cing as long as Zurich aut­ho­ri­ties can­not relo­ca­te their acti­vi­ties to Bern. Ulti­m­ate­ly, the pro­po­sal postu­la­tes the nor­ma­ti­ve power of the fac­tu­al – not an argu­ment from a legal per­spec­ti­ve, but cer­tain­ly from a legal poli­cy per­spec­ti­ve, as long as the prac­ti­cal neces­si­ties are suf­fi­ci­ent­ly pro­ven. The law does not ope­ra­te in a vacu­um, and the focus on data secu­ri­ty is cer­tain­ly expe­di­ent becau­se it inclu­des the pre­ven­ti­on of unlawful access.

Howe­ver, the pro­po­sal does not ans­wer the The que­sti­on of what level of data secu­ri­ty against access by the aut­ho­ri­ties is indi­ca­ted. Seen in this light, the vari­ant mere­ly shifts the focus of the issue from abroad to data secu­ri­ty. This in its­elf does not sol­ve any pro­blems, but the dis­cus­sion will per­haps, hop­eful­ly, beco­me less tense.

The head of the Ber­ne­se data pro­tec­tion aut­ho­ri­ty (Data Pro­tec­tion Aut­ho­ri­ty, DSA), Ueli Buri, has been very cri­ti­cal of this. The vari­ant vio­la­tes con­sti­tu­tio­nal and inter­na­tio­nal lawlike him the Con­fe­de­ra­ti­on quo­tes. Howe­ver, this must be con­tra­dic­ted at least if the risk of access by the aut­ho­ri­ties must be redu­ced to an appro­pria­te level by means of sui­ta­ble secu­ri­ty measures.

It should be noted that the idea of allo­wing dis­clo­sure abroad in the con­text of order pro­ce­s­sing wit­hout fur­ther requi­re­ments is not new. Bru­no Bae­ris­wyl, the then head of the Zurich data pro­tec­tion aut­ho­ri­ty, had taken this view in the pre­vious edi­ti­on of the Stämpf­li Hand­kom­men­tar zum DSG (Art. 10a) becau­se the­re was no dis­clo­sure in this case:

43 In doc­tri­ne and prac­ti­ce, it is argued that in the case of out­sour­cing abroad, Art. 6 FADP regar­ding the cross-bor­der dis­clo­sure of data also applies. This view must be con­tra­dic­ted, as it is the out­sour­cing is not a data dis­clo­sure in the sen­se of data pro­tec­tion law […]. Full respon­si­bi­li­ty lies with the data pro­ces­sor who out­sour­ces the data pro­ce­s­sing; it is not (par­ti­al­ly) trans­fer­red to the data reci­pi­ent as in the case of data disclosure.




Rela­ted articles