- Revised §17 allows processing of special personal data by third-party providers if data centers are located in Switzerland/an adequate country or if appropriate protective measures are in place.
- Authorities must take technical, organizational and contractual measures to ensure that access by foreign states is kept to a minimum.
- Act creates explicit legal basis for cloud-based applications in digital workplaces of public authorities and emphasizes legal certainty instead of detailed technological specifications.
The canton of Zurich conducted a consultation on the “Law on Basic Digital Services” (see here). In addition to other points, the version of Section 17 proposed at the time stipulated that information must always be stored in Switzerland or the EU, and that special personal data or confidential or secret data must be encrypted in such a way that it cannot be accessed by the cloud provider without the involvement of the public body – this would essentially still have allowed hosting services.
This point was met with harsh criticism during the consultation process, which is summarized as follows in the Government Council’s report:
The proposed regulation on the use of cloud-based applications in the context of digital workplaces was controversially discussed in the consultation. The majority of participants in the consultation requested a Adjustment of the conditions or waiver to the provision. The relationship to the Act on Information and Data Protection of February 12, 2007 (IDG, LS 170.4) and the Act on the Outsourcing of IT Services was occasionally discussed. […]
The Zurich cantonal government has now – on September 18, 2024 – submitted to the cantonal council submitted an amended version of the draft. In the new version § 17 reads as follows:
§ 17. 1 The processing of Personal data and special personal data in applications of digital workplaces of the authorities can be transferred to third parties if
a. their data centers are located in Switzerland or in a country with adequate data protection and
b. on the basis of the technical, organizational and contractual measures taken there is no reason to assumethat a foreign state has access to the data will access.
2 In all other respects, the provisions of the Act on Information and Data Protection of February 12, 2007* shall apply.
This essentially corresponds to the requirements of the § 36 at Draft of the revised IDG Zurich. Disclosure of personal data abroad is therefore permitted – in addition to the other requirements for data processing – if
b. adequate protection for data processing is guaranteed in the recipient state, or
c. [the public body] has agreed appropriate safeguards with the recipients.
Furthermore, the requirements under Art. 17 para. 1 lit. b lit. do not apply in addition to, but as an alternative to lit. a, i.e. as an authorization requirement, if the data centers are located outside an area with adequate protection. This should generally require the conclusion of the Standard Contractual Clauses and the implementation of a Transfer Impact Assessment that assesses these clauses, the other TOMs and the residual risk of foreign lawful access.
This change is good news not only for cloud providers, but above all for public bodies, which would otherwise be effectively excluded from the use of all but storage services (in the applications of digital workplaces). It would only have been desirable for Section 17 to refer not only to special personal data, but also to special secrets.
The Government Council’s report says:
In addition to these existing regulations, the Act on Basic Electronic Services is intended to regulate outsourcing in the specific use case of cloud-based applications in digital workplaces of public authorities. This can be assigned to the basic services as a primarily internal administrative basic service and is technically specified or can be specified to such an extent that it is accessible to regulation.
Other applications relate to the standard level of the regulation. In particular, reference is made to legal opinions and legal views according to which legal bases (in the formal sense) are not required. As far as can be seen, however, these expert opinions mentioned in the consultation do not address the question of the conditions under which outsourcing to a foreign company’s cloud is permissible at all – from a fundamental rights perspective, i.e. also taking into account the constitutional and international legal framework.
For reasons of constitutional law and fundamental rights, no provision has been made. The Legal basis to be created should contribute to legal certainty in an area with legally unresolved issues such as technological and dynamic developments. In particular, the Act on Basic Electronic Services is intended to provide the municipalities with a (more precise) legal basis for the use of cloud-based applications in digital workplaces of the authorities. The provision was drafted in view of the concerns expressed in the consultation process. Concerns about feasibility in practice revised. The requirements should take appropriate account of the existing working reality and leave room for technological developments as far as possible. Data protection and information security concerns must be included in a balanced relationship and with a view to the public interest in efficient and modern administration.
It can be assumed that technical measures that increase data and information security in particular will be further developed and ultimately depend on the range of applications offered by the selected providers in the digital workplaces of the authorities. Therefore of the formal law already at the level of the formal law. specify certain technological measures (encryption with key sovereignty with the public body). The authority is responsible for ensuring this with technical, organizational and contractual measures, that the risk of access to data by a foreign state is reduced to a minimum will.
The term “cloud-based” is not used in the legal text, as this term is still (too) unclear. The qualification of “cloud computing” is legally decisive as a form Data processing by third parties. The subject matter of the provision in the Act on Basic Electronic Services is limited to data processing. as part of the applications in digital workplaces of the authorities.